A piece of malware dubbed “Unflod.dylib” or “framework.dylib” has been attempting to steal the Apple ID credentials of iPad and iPhone owners. The campaign has been named the “Unflod Baby Panda” and it’s believed to have been launched by Chinese actors.This is another example that Apple devices, particularly jailbroken ones, are not 100% secure.
Reddit users first revealed seeing the malware around 4 days ago when their Apple devices started crashing.
German security researcher Stefan Esser explains that the threat is distributed as a library called Unflod.dylib or framework.dylib. When it’s installed on an iPhone or an iPad, it hooks into all processes in an effort to listen to outgoing SSL connections.
It appears that the attackers are targeting Apple usernames and passwords, which are sent back to some remote servers. The servers in question are owned by US hosting firms, but they’ve been rented by Chinese customers.
The language used in the malicious code indicates that Unflod has been developed by Chinese programmers. It’s believed that the threat is being distributed via Chinese piracy repositories, but this hasn’t been confirmed yet.
It’s worth noting that the malware only affects jailbroken devices. Furthermore, Esser has told Ars Technica that only phones and tablets running the 32-bit version of iOS are impacted. The Trojan should not work on iPhone 5s, iPad mini 2G or iPad Air.
After analyzing the malicious library, Esser has determined that the malware is signed with a developer certificate issued by Apple for an individual named Wang Xin.
“This person might be a fake persona, the victim of certificate theft or really involved. It is impossible for us to know, but Apple should be able to investigate from this information and terminate that developer account,” Esser noted in a blog post.
“Furthermore the signature date is the 14th of February of this year, which hints at this threat being around for a short while now without being discovered.”
Russian security company Dr. Web was the first to detect the threat (IPhoneOS.PWS.Stealer.1). Around 14 hours ago, at the time of the last VirusTotal report, 15 of 50 antivirus engines detected the Trojan, including AVG, Bitdefender, ESET, Emsisoft, F-Secure, Sophos, Trend Micro and GData.
This means that if you have an antivirus solution installed, it might be able to detect the threat. While some experts have determined that the malware can be removed by deleting the Unflod.dylib (framework.dylib) binary, Esser believes that this isn’t guaranteed to work.
That’s because it’s still uncertain how the malware ends up on Apple devices and it could be bundled with additional threats. The best way to ensure that the threat is removed is to fully restore the infected devices, but this means the jailbreak is lost.
Of course, those whose devices are infected should immediately change their Apple passwords.