You are using an outdated browser. Please upgrade your browser to improve your experience.
Malware Has Appeared On The Cydia Store, Here's How You Can Deal With It

Malware Has Appeared On The Cydia Store, Here's How You Can Deal With It

April 19, 2014

As far as mobile devices go, Apple's iOS is largely safe and secure from the threat of mobile malware (as Phil Schiller reminded us a few months ago, 99 percent of mobile malware in 2013 appeared on Android devices). It should come as no surprise to hear that jailbreaking an iOS device changes this, however, and now a malicious piece of malware has surfaced on the Cydia Store.

Called Unflod.dylib, it's dangerous malware for sure: the malware is designed to listen for outgoing connections, and once it recognizes an Apple ID and passcode, it sends the credentials back to the creators of the software as plain text. The malware hasn't appeared in Cydia's default repositories; instead, it seems to have surfaced in a private repository originating in China. Moreover, it's been proposed that the repository in question could be a pirate repository designed to illegally distribute pirated iOS software.

If you haven't added any “questionable” repositories to your iOS device's Cydia application, you're more than likely fine. However, for those concerned Jay Freeman (@saurik), “father of the Cydia Store,” has provided detailed instructions on both detecting and removing Unflod.dylib from an affected iOS device.

The instructions appeared on Reddit and outline the process in 10 steps:

  1. Use iFile (or another way to access your filesystem) to navigate to /Library/MobileSubstrate/DynamicLibraries/ and check to see if Unflod.dylib and Unflod.plist (or framework.dylib and framework.plist) are in the list of files in that directory. (If you aren't used to navigating the filesystem with iFile: open iFile, tap the back button at top left until you no longer get a back button, and then tap Library, tap MobileSubstrate, tap DynamicLibraries, and scroll down to see if these files are there.) If they exist, continue with the rest of these instructions. If you only see other .dylib and .plist files with other names, you're probably fine. (It's possible for this malware to have other names, but checking for these files is a good basic first step.)
  2. In iFile, tap the blue “i” at the right of the Unflod.dylib or framework.dylib file listing, and scroll down to where it says “Last modification”. Write down the date & time that the file was last modified, and put this info into a new page in your Notes app.
  3. Open up Cydia and install OpenSSH, if you don't have it installed already. Follow these instructions to SSH into your device from your computer, and then follow these instructions to change your root and mobile passwords. (I would like to recommend using MobileTerminal from your device instead, since that's easier, but it doesn't seem to support copy and paste.)
  4. At the command line, preferably as root, paste this command (which is basically a special search command): find /System /Library /usr /private/var -type f -print0 2>/dev/null | sudo xargs -0r grep -EHi “P5KFURM8M8|Unflod”
  5. Tap Return, and wait for several minutes. Don't let the phone go to sleep (or the search may stop), just let the results happen - it'll print out a bunch of messages.
  6. After it stops printing out messages (you can tell because you'll get a command prompt again, or if you don't know what a command prompt looks like, you can just tell because it'll stop printing out messages every few seconds), then select all of the results and copy them.
  7. Paste these results into an email to yourself (or something like that). On your device, copy and paste the results into your Notes page (where you put the “last modification” time in step 2).
  8. Open up iFile (or another way to access your filesystem) and go to /var/lib/cydia/metadata.plist. Open this and copy and paste it into the Notes page. Then select your whole Notes page and copy it.
  9. Open up Cydia and search for Cyntact (or another package by saurik). Tap “Author” at the top of the page, and tap one of the options to email saurik. In this email, change the subject line to “Unflod data”, and then paste your collected info at the top of the email. Paste it carefully so that you don't accidentally delete the log files that Cydia has already automatically attached to the email. Send it!
  10. Use iFile (or another way to access your filesystem) to delete Unflod.dylib and Unflod.plist (and/or framework.dylib and framework.plist) in /Library/MobileSubstrate/DynamicLibraries/ - and reboot your device, and then change your Apple ID password and security questions.

The same Reddit post also encourages users to contact Freeman directly if they're having trouble executing the above method; information on this can be found at the original thread.

See also: Nike Fires Staff, Halts FuelBand Development Ahead Of Apple's iWatch Launch, Missed Out On A WWDC Ticket? You Could Still Be In With A Chance, and Apple Expands Its Maps Flyover Coverage To Include Berkeley, East Bay Area.

Via: Redmond Pie

Related articles