Unflod malware

We often praise iOS as a very secure platform, and this is mostly true, as many studies have confirmed over the years. But sometimes, it’s not so much the platform that is responsible for the lack of security, it is the user himself.

The perfect illustration of this is when you jailbreak your device. By gaining root access to your iPhone or iPad, you start walking outside of Apple’s walled garden and actually put yourself at risk of having untrusted files installed on your device without your knowledge.

As a jailbreaker myself, I am very well aware of the risks, but I do not mind them because the benefits usually far outweigh the drawbacks, and I assume most jailbreak users feel the same.

This being said, a new malware called Unflod has been targeting jailbroken devices for a few weeks. While there is still a lot we don’t know about Unflod, the little information we have about it is enough to raise concerns…

The first mention of Unflod appeared on Reddit yesterday. After having many of his apps crash on his iPhone, Reddit user tdvx started disabling MobileSubstrate extensions and re-enabling them until he was able to single out a potential culprit: Unflod.dylib.

What is Unflod?

After looking a little more into it, Reddit user minilover11 found some troubling evidence that Unflod carries all the signs of a malware, capturing your Apple ID and password and sending them somewhere in China. He explains:

After using both Hopper and IDA (although I am by no means very good at reading assembly or intermediate code), Unflod.dylib seems overrides the function “SSLWrite” and captures appleId and password and their data from the raw plist data in SSL connections to Apple’s authentication server (/WebObjects/MZFinance.woa/wa/authenticate) and sends them to 23.88.10.4 (a Chinese site it seems, from the error message it displays, not bashing china or anything, just based off the text the website returns).

German security consulting firm SektionEins took to its blog and shared more findings about Unflod.

This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections. From these connections it tries to steal the device’s Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers.

Although the source of the malware hasn’t been traced yet, it seems to be correlated to the installation of what I like to call “shady” repos (ie. pirate repos). So if you’ve installed some of these repos that distribute pirated tweaks, you could have been infected (cough cough).

How to know if you’ve been affected by Unflod

The best way to find out if you’ve been affected is to use iFile and navigate to /Library/MobileSubstrate/DynamicLibraries/. If you see a file named Unflod.dylib, then you are carrying this malware on your device.

How to remove Unflod

The quick and easy way to remove Unflod is to navigate to /Library/MobileSubstrate/DynamicLibraries/Unflod.dylib and delete the file. But as the folks at SektionEins note, deleting the Unflod dynamic library might not be enough as we’re not sure yet if more malware files were installed.

At the end of the day, the best thing to do to make sure you remove all potentially harmful files from your device is to restore in iTunes, which would ultimately lead to the loss of your jailbreak.

Change your Apple ID password now

If you have been affected, you should definitely follow the steps above to delete Unflod and then make sure to change your Apple ID password, which might have been compromised. Setting up two-step verification might be a good idea too.

Help figure out what Unflod is

Cydia Community Manager Britta has posted detailed instructions about how you can help Saurik figure out what Unflod is, where it’s from, etc… Find these instructions here.

More information

For more information, you may refer to the following posts:

Have you been affected by Unflod? As always, please make sure to share your findings here in the comments section.

  • felip

    apps crashing not finding unflod or other fie name listed… cant even get into my photo app. damn

  • Donovan

    I love the (cough cough) hyperlink to Karma on wiki xD

    • YoloSwagDaddyMaster

      haha me too

  • Mohsin

    is there any way we can check/delete this malware using ifunbox?

  • Victor

    can i use Semi Restore?

  • Guest

    Well iOS is still safe. It’s jailbreaking. I support jailbreaking as much as the next guy, but let’s not make this sound like it’s an iOS vulnerability. It’s a jailbreak vulnerability, since stock iOS devices are fine.

  • Ismail ‘marco’ Azeem

    can someone confirm this?

  • messifcb710

    Hi, can someone please help me because I would gladly appreciate it. My iPod touch 5th generation doesnt seem to have the mobile substrate or even cydia substrate file when i go to var/mobile/library to find it. I have been noticing craches on my apps frequently for no reason such as snapchat. Please reply as soon as possible anyone.

    Thank you.

  • Rick Hart

    No mobilesubtrate folder any help?

  • dnice

    I don’t have mobilesubtrate folder in my library folder. Any ideas?

    • There’s more than one Library folder. Make sure you go to the very first folder.

  • Ishaan Malhotra

    Don’t download the new tweak on cydia that let’s you save screenshots in a separate album. Stuck on bootloop. Goodbye jailbreak

    • If you can get into safe mode delete the tweak

      • Ishaan Malhotra

        Wish I could.

    • disqusted

      Thanks for the warning I had the old version. Opened Cydia and there was an update for it. I immediately uninstalled the one already there and did not update. I hope it’s gone. It respring fine but didn’t restart fully. Am I ok?

      • Ishaan Malhotra

        Yup!

    • tstsr6

      Did the volume up button thing not work?

      • Ishaan Malhotra

        By the time i got to know about that method, i was already on 7.1. Only 8% battery left when the bootloop thing happened, so had to hurry. I want my old setup back

    • McBobson

      You should use semi-restore

      • Ishaan Malhotra

        That doesnt work when you’re stuck on bootloop

      • McBobson

        Oh ok, I didn’t know

  • Ishaan Malhotra

    Any progress on 7.1 JB?

  • nfinite

    thanks for the news.. My device safe btw..

  • Guest

    ummm what if i don’t have the folder MobileSubstrate in iFile list? It goes from Library/MobileInstallation to Library/MusicLibrary….

    I don’t and have never used any pirate repos so I don’t think i should be too concerned but you never know. any suggestions???

    • Lance Baker

      Open iFile and hit the home icon on the bottom. Check the top left corner and navigate all the way back to the / directory. Then look for library from there.

  • Blip dude

    Don’t know if this has been mentioned or actually works but: Would malicious files still stay on the phone if one were to use Semi-restore or such??

  • β™‹JULY 17β™‹

    Just look in my ifile i dont have it
    good looks guys

  • Niclas

    May be called “framework.dylib” also.
    PS. Doesn’t show up in cydia, only in filesystem.

  • YoloSwagDaddyMaster

    lol he misspelled unflod

  • jack

    Damn chinese

  • disqusted

    Mine is free of unflod but it’s infest with genial herpes. Is that ok? Oh wait thas me uh ohh. How you patch genial herpes for person? Anyone have fix??

  • Eli aka Mr. Haha

    I’m clean. I’m running just the stock repos though. Never bothered adding anything else. Plus I support developers πŸ˜€

  • Shan

    Thank God…Am not affected..Gr8 work IDB..for givin this headsup….

  • Rick Hart

    Still can’t find mobile substrate folder. Any ideas?

  • ioooo1

    β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…
    β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†
    β˜† Most cost-effective website, factory direct delivery, all kinds of luxury brands, safe and efficient http://WWW.SOGARED..COM i pΓ‘gina web. Mi sitio web es: http://www.sogared..com tienen marcas: Nike, Adidas, Puma, Gucci, LouisVuitton, Armani, Burberry, Moncler, Ralph Lauren, Lacoste, Dolce & Gabbana, Hugo Boss, Abercrombie & Fitch, CalvinKlein, Dsquared2, Yves Saint Laurent, Tommy Hilfiger sitio: http://www.SOGARED..com β˜†
    β—’β—£β—’β—£β—’β—£β—’β—£
    β—₯β—€β—₯β—€β—₯β—€β—₯β—€
    β—’β—£β—’β—£β—’β—£β—’β—£
    β—₯β—€β—₯β—€β—₯β—€β—₯β—€γ€€We are not the usual Chinese wholesalers
    β—’β—£β—’β—£β—’β—£β—’β—£
    β—₯β—€β—₯β—€β—₯β—€β—₯β—€
    γ€€γ€€γ€€γ€€γ€€β†’β†’οΌ·οΌ·οΌ·οΌŽοΌ³οΌ―οΌ§οΌ‘οΌ²οΌ₯＀.COM
    β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…β˜…
    β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†β˜†

  • Al3in

    Also Be careful and Change your SSH Root User password because its easier for hackers to access your iDevice if the password is not changed

    I just Changed mine and I only install Genuine Tweaks

  • Sergey Filatov

    Anybody figured out, how is Unfold can be delivered to our devices? Untrusted cydia repos, malware sites… ?

    • McBobson

      Untrusted repos

  • Guest

    fsa

  • More informations Link “Not Found”