Baby Panda Malware Stealing Apple IDs And Passwords [Jailbreak]

A baby panda jailbreaking. Just because.

A baby panda jailbreaking. Just because.

A new malware campaign targetting users of jailbroken iOS devices has been discovered by reddit users.

Called “Unflod Baby Panda,” the malware hooks into all running processes of jailbroken devices and tries to steal their Apple ID and corresponding password.

Security firm SektionEins had the following to say about the malware:

[It] appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections.

From these connections it tries to steal the device’s Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers.

To detect the infection, users can navigate to /Library/MobileSubstrate/DynamicLibraries/ and check to see if the file “Unflod.dylib” exists within this folder. If it does, this confirms that your device is infected with malware.

To remove it users should locate the malware files Unflod.dylib and Unflod.plist using iFile. These can then be deleted manually using a permanent file deletion tool like iShredder.

Affected users should then change their Apple ID password and enable two-step verification. If you’re unsure about any secondary infections due to the malware, perform a full restore to remove all existing threats from your iOS device.

Further advice can be found by visiting this reddit thread.

Note: if you haven’t jailbroken your iOS device, you have nothing to worry about.

  • digitaldumdum

    Thanks for posting this here. Thankfully, the “unflod.dylib” infection is minor. Due to the malware having been installed via software hosted only from one or two questionable jailbreak sources, probably very few jailbreakers are affected. It’s also very easy to spot and remove the offending malware, as you’ve pointed out. Fortunately, reddit has a very active jailbreak discussion community, and things like this cannot long survive the light of day.

  • Portnoys Compliment

    Wouldn’t it be way better to hack the malware by first locking the malware from accepting new commands (so your hack cannot be undone). Then altering the hacked malware to send out garbage data that appears legit to the crooks for tracking purposes to locate and ID the criminals.
    Finally have the malware create an endless stream of data which is not tied to any account so we crash the heck out of any already existing criminal databases.

    • PMB01

      Which would only be great if you had unlimited data. Out the criminals and stick it to the wireless companies! But seriously, if you want to send an “endless stream of data”, you better not have a cheap, limited data plan!

  • Portnoys Compliment

    I was pondering making an extension for Firefox called “Cookie Vomit” which would take advertising tracking cookies and fill the fields with randomized data, changing them every 10 minutes. It would also at random time spans (5 to 19 minutes) rewrite deliberately broken cookie data fields (too big or too small) in the advertisers tracking cookies. In this way we reduce the malignant advertisers databases into corrupt garbage that mere Cookie Blocking techniques do not.

  • tornacious

    Why no mention of the source of the malware? Surely it’s important to warn folks about the app(s) that infect your iDevice?

About the author

Luke DormehlLuke Dormehl is a UK-based journalist and author, with a background working in documentary film for Channel 4 and the BBC. He is the author of The Formula: How Algorithms Solve All Our Problems, And Create More and The Apple Revolution, both published by Penguin/Random House. His tech writing has also appeared in Wired, Fast Company, Techmeme, and other publications. He'd like you a lot if you followed him on Twitter.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News | Tagged: , |