Users on a jailbreak subreddit have discovered a new kind of malicious software on iOS phones. The malware, which comes as a library called unfold.dylib, was uncovered after a Reddit user complained of crashes in Google Hangout and Snapchat.
The threat, which has been nicknamed “unflod baby panda,” is rumored to be of Chinese origin. There are several factors that support this theory. According to German mobile security firm SektionEins, the infection is digitally signed with an iPhone developer certificate under the name Wang Xin. Also, the malware, which steals the Apple ID and password of users, sends the information in plain text to 18.104.22.168, which appears to be a Chinese website from the error message it displays. However, these could all be fake. SektionEins even raised the possibility of certificate theft. So for now, no one knows where the malware came from and how it got into iOS devices.
The malware only affects jailbroken iPhones. It hooks into all the running processes of affected devices and listens to outgoing SSL connections. The infection also comes as unfold.plist and framework.dylib.
“Currently the jailbreak community believes that deleting the Unflod.dylib/framework.dylib binary and changing the Apple ID password afterwards is enough to recover from this attack. However, it is still unknown how the dynamic library ends up on the device in the first place and therefore it is also unknown if it comes with additional malware gifts,” SektionEins said.
“We therefore believe that the only safe way of removal is a full restore, which means the removal and loss of the jailbreak.”
The signature date on the malware is February 14, so the threat may have gone undetected for about two months. If you need a step-by-step guide for removing the malicious file from your phone, Reddit user SaurikIT has provided detailed instructions here.