The bug, dubbed “Unflod Baby Panda,” was first brought to light via a comments thread on Reddit.
While details on the malware’s source are somewhat murky still, security firm SektionEins did an analysis of Baby Panda and found it to have likely Chinese origins. In the code, there are “several indicators that a chinese party is involved,” the firm said. “It is however unclear at the moment how the actual malware binaries end up on jailbroken iPhones.”
However, SektionEins was able to partially figure out the anatomy of the threat. Like a panda on a mission to seek out all available bamboo, the malware inserts itself into the running processes of jailbroken devices and lifts credentials.
“It comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections,” the firm noted. “From these connections, it tries to steal the device’s Apple ID and corresponding password and sends them in plaintext to servers with IP addresses in control of U.S. hosting companies, for apparently Chinese customers.”
Those with jailbroken phones should look at the /Library/MobileSubstrate/DynamicLibraries/ folder to see if the file “Unflod.dylib” is housed there. If it is, then victims can use iFile to locate the malware files Unflod.dylib and Unflod.plist, then delete them permanently using a file deletion tool like iShredder. A full restore to factory settings will also do the trick.
Affected users should also of course change their Apple ID passwords, and enable two-step verification.