Unflod Baby Panda, the Chinese malware hit jailbroken iphone

April 19, 2014  By Pierluigi Paganini


Unflod Baby Panda is the name of a new mobile malware which is targeting jailbroken versions of Apple iPhone. The threat seems to have China origin.

The number of cyber threats against mobile users is in constant increase, on the other hand bad habits like the practice of jailbreak/root the devices and the lack of defense systems are favoring the diffusion of new families of malicious code.

Recently I noted ion the Reddit Jailbreak community discovered a new malware, dubbed ‘Unflod Baby Panda’, affecting some jailbroken Apple iOS devices. A user triggered the alert after noting an unusual activity on his jailbreaked iPhone, as reported by the member of the community Snapchat and Google Hangouts were crashing constantly just after the execution of the jailbreak procedure.
According the members of the communities the Unflod Baby Panda infection was limited to jailbroken Apple iOS devices, the malware was designed to steal victims’ credentials, including the Apple IDs.
The threat affects iPhone iPhone 5 and any other 32-bit jailbroken iOS device handset.
The malware spread through the‘Unfold.dylib’ file, once has stolen the user’s credentials, it sends them to a C&C servers provided by US hosting companies and managed by Chinese customers.

“This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken devices and listens for outgoing SSL connections. From these connections it tries to steal the device’s Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers. Users of reddit have made this malware available to the public, which allowed SektionEins to perform an analysis of this threat. However so far only the malware itself has been found and until now it is unknown how it ends up on jailbroken phones. Rumours that Chinese piracy repositories are involved are so far unverified” states a post published by SektionEins security firm which analyzed the malicious agent.

It has been hypothesized that Unflod Baby Panda malware was spread through a Chinese web site which offer iOS software, another interesting aspect of the infection that malicious code is digitally signed with an iPhone developer certificate.
I have found it curious because the Unflod Baby Panda malware infect only jailbroken iPhones and it was not necessary on such hardware to sign the source code for its execution.
Details of the digital certificate used by to sign Unflod Baby Panda malware are reported below.
$ codesign -vvvv -d Unflod.dylib
Executable=./Unflod.dylib
Identifier=com.your.framework
Format=Mach-O thin (armv7)
CodeDirectory v=20100 size=227 flags=0x0(none) hashes=3+5 location=embedded
Hash type=sha1 size=20
CDHash=da792624675e82b3460b426f869fbe718abea3f9
Signature size=4322
Authority=iPhone Developer: WANG XIN (P5KFURM8M8)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=14 Feb 2014 04:32:58
Info.plist=not bound
Sealed Resources=none
Internal requirements count=2 size=484

The the signature date is the 14th of February of this year, probably the Unflod Baby Panda is being around without being discovered in the last months.

Unflod Baby Panda 2

The researchers noted that it is possible to manually remove Unflod Baby Panda

  • Download the iFile app for free from Cydia and by using iFile, check whether your device is affected by the malicious software or not.
  • Navigate to /Library/MobileSubstrate/DynamicLibraries/
  • If you spot any files named Unflod.dylib or Unflod.plist and/or framework.dylib and framework.plist then you have been affected.
  • Use iFile to delete Unflod.dylib and Unflod.plist and/or framework.dylib and framework.plist
  • Reboot your device and then change your Apple ID password and security questions immediately and just to be on safe side, use two-step verification method and avoid installing apps from untrusted sources.

“We therefore believe that the only safe way of removal is a full restore, which means the removal and loss of the jailbreak,” reported the researchers.

Be aware mobile jailbreak could hide numerous pitfalls.

Pierluigi Paganini

(Security Affairs –  Unflod Baby Panda, iOS)



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Satellite equipment affected by severe vulnerabilities

 A study conducted by experts at IOActive uncovered a variety of severe vulnerabilities in Satellite equipment widely used...