Apple devices which have been jailbroken are apparently vulnerable to a type of malware named for a library which is installed on devices that have been infected. Ars Technica spotted a couple of threads on Reddit and a blog post from security researcher Stefan Esser, who ran a static analysis on the code which Reddit users were able to isolate on their devices.
How the new malware targets Apple devices
According to Esser, the unflod library gets into the Apple device’s SSLWrite function. The library scans that function for any strings which go along with the Apple password and ID, which are sent to the company’s servers. Whenever the malware locates those credentials, it also transmits them to servers which are controlled by the malware’s creator.
Readers of Reddit said Apple users can find out if their devices have been infected by opening up the SSH / Terminal and then searching the folder /Library/MobileSubstrate/DynamicLibraries. If the device is infected, that folder will contain the file Unflod.dylib. According to Ars Technica, devices which have been compromised could be cleared by deleting the dynamic library. However, so far no one knows how the malware came to exist in the Apple devices, so it is unknown whether the file will reappear.
How to get rid of unflod
As a result, Esser recommends that users restore their devices, which unfortunately means they will lose their jailbreak until a new one is released. He doesn’t think most jailbreak users will do it. iOS users who do discover that their devices have been compromised are advised to change the password for their Apple ID as soon as they can.
Not all Apple devices vulnerable
Esser told Ars Technica that the code appears to only work on 32-bit iOS devices which have been jailbroken. He said there isn’t a 64-bit ARM version of it in the version of the library he analyzed. As a result, he said the malware shouldn’t work on the iPhone 5S, the iPad Air or the iPad Mini 2G.