Unflod Baby Panda, the Chinese malware hit jailbroken iphone

Recently I noted ion the Reddit Jailbreak community discovered a new malware, dubbed ‘Unflod Baby Panda’, affecting some jailbroken Apple iOS devices. A user triggered the alert after noting an unusual activity on his jailbreaked iPhone, as reported by the member of the community Snapchat and Google Hangouts were crashing constantly just after the execution of the jailbreak procedure.

According the members of the communities the Unflod Baby Panda infection was limited to jailbroken Apple iOS devices, the malware was designed to steal victims’ credentials, including the Apple IDs.

The threat affects iPhone iPhone 5 and any other 32-bit jailbroken iOS device handset.

The malware spread through the‘Unfold.dylib’ file, once has stolen the user’s credentials, it sends them to a C&C servers provided by US hosting companies and managed by Chinese customers.

“This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken devices and listens for outgoing SSL connections. From these connections it tries to steal the device’s Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers. Users of reddit have made this malware available to the public, which allowed SektionEins to perform an analysis of this threat. However so far only the malware itself has been found and until now it is unknown how it ends up on jailbroken phones. Rumours that Chinese piracy repositories are involved are so far unverified” states a post published by SektionEins security firm which analyzed the malicious agent.

It has been hypothesized that Unflod Baby Panda malware was spread through a Chinese web site which offer iOS software, another interesting aspect of the infection that malicious code is digitally signed with an iPhone developer certificate.

I have found it curious because the Unflod Baby Panda malware infect only jailbroken iPhones and it was not necessary on such hardware to sign the source code for its execution.

Details of the digital certificate used by to sign Unflod Baby Panda malware are reported below.

$ codesign -vvvv -d Unflod.dylib
Executable=./Unflod.dylib
Identifier=com.your.framework
Format=Mach-O thin (armv7)
CodeDirectory v=20100 size=227 flags=0x0(none) hashes=3+5 location=embedded
Hash type=sha1 size=20
CDHash=da792624675e82b3460b426f869fbe718abea3f9
Signature size=4322
Authority=iPhone Developer: WANG XIN (P5KFURM8M8)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=14 Feb 2014 04:32:58
Info.plist=not bound
Sealed Resources=none
Internal requirements count=2 size=484

The the signature date is the 14th of February of this year, probably the Unflod Baby Panda is being around without being discovered in the last months.

The researchers noted that it is possible to manually remove Unflod Baby Panda

• Download the iFile app for free from Cydia and by using iFile, check whether your device is affected by the malicious software or not.
• Navigate to /Library/MobileSubstrate/DynamicLibraries/
• If you spot any files named Unflod.dylib or Unflod.plist and/or framework.dylib and framework.plist then you have been affected.
• Use iFile to delete Unflod.dylib and Unflod.plist and/or framework.dylib and framework.plist
• Reboot your device and then change your Apple ID password and security questions immediately and just to be on safe side, use two-step verification method and avoid installing apps from untrusted sources.