‘Unflod Baby Panda’ Malware
Jailbreaking your iOS device is very common activity now a days. Jailbreaking is done because user wants to access the third party apps or the apps that are banned for the App Store Or you can say that jailbreaking is a way to break the restrictions that Apple applied on its operating System. User finds lots of advantages and they think that after jailbreaking their iOS device, it is easy to use iPhone. But jailbreaking also has a lot of disadvantages. Now, a malware called Unflod Baby Panda has come and is responsible for stealing Apple iPhone passwords.
The major disadvantage of jailbroken iOS device is its security. The wall provided by the Apple for the protection to its app gets damaged after jailbreaking. Jailbreaking makes iPhone more vulnerable to hacks and malwares. So you can say that jailbroken iOS devices are less protected against threats.
The biggest example of unsecured jailbroken iOS device is proved by Security Researchers. Recently Security Researcher Stefan Esser has reported malware in the jailbroken device called ‘Uflod Baby Panda’ malware which was first detected by Reddit users. ‘Unflod Baby Panda’ is a malware that steals Apple ID and Passwords and send them to the servers that are based in China. It has found that malware is developed by Chinese developers.
Reddit has experienced some crashes in Cydia application because of this malware. Unflod Baby Panda is located in library called Unflod.dylib on your device. This malware only affects the jailbroken iOS device. The malware is detected to be legally signed with an iPhone developer certificate for an individual name Wrang Xin.
Security Researchers team of SektionEins said about malware, ” This malware appears to have Chinese orign and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken devices and listens to outgoing SSL. From these connections it tries to steal the devices Apple ID and corresponding passwords and sends them in plaintext to servers with IP addresses in control of US hoting companies for apparently Chinese Customers.”
Moreover it is also discovered that another name of this malware is framework.dylib which is used in some other functions. This malware infects only 32-bit versions of jailbroken iOS devices. iPhone 5s, iPad Air, iPad mini 2G are not affected with this malware.
How does this Unflod Baby Panda Malware works?
The malware has came from the library called Unflod.dylib. This library is installed as Mobile Substrate extension path. Mobile Substrate is nothing but the Cydia Substrate for your jailbroken device. The path of this malware is:
Now this malware is legally and digitally signed with an iPhone developer. This certificate is registered to an individual person called WANG XIN. This person might not be exist or it is the way to steal your information.
Now this malware basically uses SSL write of Security, Framework to encrypt the data. This scans the buffer for string that indicate the presence of the Apple ID and password and sends them to the IPs 22.214.171.124 and 126.96.36.199 on port 7878 in the form of plain text.
This is how the malware works on your jailbroken device.
How To Know The Presence of Unflod Baby Panda Malware?
First check that “Unflod.dylib” file in the library path or not. If it is present then it makes sure that your device is infected.
Or another way to check the presence of the malware is given by Stefan Esser which can easily detect malware i.e. by running Grep command on your iOS device. For running Grep command you have to type:
grep-R ‘Wang XIN’/Applications/
How do you protect your iPhone from Unflod Baby Panda?
You should delete files from Unflod.dylib so that this malware is removed. Or another way ti remove this malware is to change the Apple ID and passwords and you can also enable the two step verification process.
Another alternative way to remove this is fully restoring the infected device. This will remove the jailbreak from your device but your pesonal information will get secured. You can also install antivirus in your infected device. But before doing this keep the backup of user data and other files.
Author: Kriti Jain