IOS_UNFLOD.A

 Analysis by: Lambert Sun

 PLATFORM:

iOS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes


  TECHNICAL DETAILS

NOTES:

This malware is introduced when users install third-party applications in Cydia. However, only jailbroken devices are infected by this threat.

It uses Mobile Substrate to modify system behavior on jailbroken iOS devices.

It hooks the SSLWrite function when loaded and initialized.

Mobile Substrate is the framework that allows 3rd-party developers to provide run-time patches to system functions. It is available on almost all jailbroken devices.

The Unflod library hooks the SSLWrite function used when sending encrypted data over a secure connection. This means that the malware gets to see the confidential data before it is encrypted for transmission.

The information it steals, includes AppleID account and password of users.

Users can manually remove it by deleting /Library/MobileSubstrate/DynamicLibraries/Unflod.dylib on their devices.