'Unflod' malware stealing Apple ID credentials from jailbroken iOS devices

A new active malware, dubbed 'unflod', has been discovered by some users who say that the bug targets certain files in Apple products and steals Apple ID credentials.

The malware is understood to attack only those jailbroken Apple devices that run on 32-bit versions of iOS. This indicates that iPhone 5s, iPad Air and iPad mini 2G would stay unaffected, as they 64-bit versions of iOS. "There is no ARM 64-bit version of the code in the copy of the library we got [...]This means the malware should never be successful on [the] iPhone 5S/iPad Air or iPad mini 2G," mentioned Stefan Esser, a security researcher for Ars Technica.

Unflod was first mentioned in a couple of Reddit threads (1, 2), in which users complained about how their jailbroken devices have been repeatedly crashing after installing some jailbroken customisations.

However, Esser performed a static analysis on the binary codes of the infected devices mentioned by the Reddit users. As per Esser's blog, the Unflod malware clings to the jailbroken devices' SSLWrite function and runs a scan on the links that include the Apple ID and passwords. After the credentials are discovered, they are transmitted to controlled servers.

As a temporary solution to bypass the malware, Esser recommended users to restore their devices to factory settings. Most users however, would not want to give up their jailbreaks and subsequent tweaks in the process. He also recommended users to change their Apple IDs and passwords.

One of the Reddit users also mentioned that users can delete the Unflod.dylib file by entering the devices' SSH/Terminal, and navigating through Folder > Library > MobileSubstrate > DynamicLibraries. However, Esser says the the bug might appear again after some time, as the source of its emergence is not yet known.