Unfold Baby Panda, a Malware Discovered on Jailbroken iOS devices

Attempts to hack personal data and information are quite common these days. As with the same issue, recently the Reddit members have discovered a new kind of malicious software on jailbroken iOS devices. The malware is nicknamed “Unflod Baby Panda” based on the name of the library called unflod.dylib that’s installed on infected devices.

A Reddit user triggered the alert after noticing an unusual activity on iOS device which caused some apps such as Snapchat and Google Hangout to crash repeatedly just after the execution of the jailbreak procedure.

Unfold Baby PandaThe Reddit community wa not only successful in isolating the malware, but also made public its source code. The code was carefully analysed by security researchers of SektionEins.

According to Stefan Esser a researcher at German Security firm SektionEins, the malware listens to outgoing SSL connections on the infected devices and tries to steal Apple users’ ID credentials. The stolen credentials are then sent in plain text to, which appears to be a Chinese website from the error message it reports. Hence the malware appears to have Chinese Origin. Also the malware is signed with an iPhone developer certificate, which is registered in the name Wang Xin.

To know more about how the malware works read the firm’s blog post.

Esser said the malware works only on 32-bit versions of jailbroken iOS devices.

To check out if your iOS device is infected by the malware, poen the SSH/Terminal and check the folder /Library/MobileSubstrate/DynamicLibraries for the presence of the Unflod.dylib file.

Alternatively, Esser suggests users to run a grep command on their systems to check if they’re infected.

“grep –R ‘Wang Xin’ /Applications/”

If you spot the dynamic library on your device, then you delete it without giving a second thought and change your Apple ID password, and enable two-step verification.

The unfold campaign, which was also analyzed by researchers from antivirus provider Sophos, states the risks involved with installing repositories from unreliable sources. It is so far unclear of how the malicious app is installed in the first place.

“That is why we recommend to restore the device,” Esser told Ars. “However, that means people will lose their jailbreak until a new one is released and the majority of jailbreak users will not do that.”

The signature date on the malware is February 14, so the malware has gone unnoticed for about two months. If you need to know more details about removing the malicious file from your phone, please check this reddit thread.

“I will also again take this moment to point out to anyone concerned that the probability of this coming from a default [Cydia] repository is fairly low,” Cydia developer Jay Freeman, aka Saurik, wrote in one reddit comment. “I don’t recommend people go adding random URLs to Cydia and downloading random software from untrusted people any more than I recommend opening the .exe files you receive by email on your desktop computer.”