updated 06:11 pm EDT, Tue April 22, 2014
Works on 32-bit devices only for now, takes advantage of same flaws jailbreak uses
As has been predicted for some time, a new malware threat exploits the same flaws in iOS that jailbreaking tools use in order to install itself on older jailbroken iPhones and iPads. The malware, likely to be found in devices where the user has installed third-party customizations, scans for the Apple ID and password of the user, then transmits it to remote servers. Current, 64-bit iOS devices like the iPhone 5s, iPad Air or second-generation iPad mini -- and un-jailbroken iOS devices of all sorts -- appear to be immune so far.
The malware, now dubbed "unflod" after the library that is installed on infected devices (and signed with an Apple Developer signature, though this may have been stolen), can be seen on 32-bit jailbroken iOS devices by opening the SSH/Terminal that is usually installed during the jailbreaking process and searching the path "/Library/MobileSubstrate/DynamicLibraries" for a file called Unflod.dylib. It is unclear if simply deleting that file will permanently remove the malware, since it is possibly hidden inside one of the installed "tweaks" and may be re-downloaded or reinstalled when the suspect tweak is used again.
Security researcher Stefan Esser, who investigated the issue after reports appeared on Reddit about repeated crashes, says that the file intercepts the SSLWrite function inside an infected device's security framework, reports Ars Technica, and uses that to scan for strings associated with Apple ID logins. Sophos Labs, which has also analyzed the threat, has received no reports of compromised Apple IDs "in the wild" due to the attack thus far, but victims may not be aware that their ID has been compromised or do not think to report any security issues to the company.
The Mobile Substrate code, which is used by unofficial software to modify and extend iOS into areas specifically set as off-limits by Apple -- for example, an library that circumvents the carrier's own CallerID so that users have some way of seeing what number is calling without paying the carrier to do so -- can just as easily be used, in jailbroken devices, to install malicious software. While the jailbroken community as a whole has been generally lucky on this front so far, an exploit -- any exploit -- can be used for nefarious or benign injections of code, which is why Apple strongly recommends against jailbreaking phones even though it is legal to do so.
Applications that have hidden functionality, usually designed to get around Apple App Store rules, are well known among jailbreakers. A few have been successful in escaping Apple's scrutiny and successfully appearing on the App Store, but almost none of them had any malicious intent. Exploiting software flaws in mobile platforms is worth a lot of money now, notes security researcher Charlie Miller, vastly increasing the temptation to use jailbreak exploits for illicit purposes.
The relative unpopularity of jailbreaking in the iOS community is one of the reasons why the platform enjoys such dramatically lower incidences of malware -- statistically, zero -- compared to Android, which allows a much wider community of unpoliced and unofficial app stores, and unsurprisingly now has 99 percent of all mobile malware directed at it.
Resetting an iOS device infected with "unflod" to normal and losing the jailbreak more permanently fixes the issue, reports Esser, since un-jailbroken devices cannot be compromised by the malware. Users do take the risk, however, that future system upgrades will make it even more difficult for their devices to be jailbroken, meaning they can enjoy the security but lose the unofficial tweaks and apps they enjoyed.
Jay Freeman, known as "Saurik" and creator of the primary unofficial app marketplace, Cydia, told Reddit readers that the "probability of this coming from a default [Cydia] repository is fairly low," but added that he doesn't recommend "people go adding random URLs to Cydia and downloading random software from untrusted people any more than I recommend opening the .exe files you receive by email on your desktop computer."