The number of cyber threats against mobile users is in constant increase, on the other hand bad habits like the practice of jailbreak/root the devices and the lack of defense systems are favoring the diffusion of new families of malicious code.
“This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken devices and listens for outgoing SSL connections. From these connections it tries to steal the device’s Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers. Users of reddit have made this malware available to the public, which allowed SektionEins to perform an analysis of this threat. However so far only the malware itself has been found and until now it is unknown how it ends up on jailbroken phones. Rumours that Chinese piracy repositories are involved are so far unverified” states a post published by SektionEins security firm which analyzed the malicious agent.
$ codesign -vvvv -d Unflod.dylib Executable=./Unflod.dylib Identifier=com.your.framework Format=Mach-O thin (armv7) CodeDirectory v=20100 size=227 flags=0x0(none) hashes=3+5 location=embedded Hash type=sha1 size=20 CDHash=da792624675e82b3460b426f869fbe718abea3f9 Signature size=4322 Authority=iPhone Developer: WANG XIN (P5KFURM8M8) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Signed Time=14 Feb 2014 04:32:58 Info.plist=not bound Sealed Resources=none Internal requirements count=2 size=484
The the signature date is the 14th of February of this year, probably the Unflod Baby Panda is being around without being discovered in the last months.
The researchers noted that it is possible to manually remove Unflod Baby Panda
“We therefore believe that the only safe way of removal is a full restore, which means the removal and loss of the jailbreak,” reported the researchers.