Home screen jailbreak theme status bar

Security research firm Palo Alto Networks reported this weekend about a new iOS malware that’s affecting jailbroken devices. It’s called ‘AppBuyer,’ and it’s programmed to steal a user’s Apple ID and password for the purpose of purchasing apps from the App Store.

It’s not clear exactly how AppBuyer is being installed, but the group says it could be done a number of ways including through a malicious Cydia Substrate tweak or PC jailbreaking utility. Those infected complain of random apps periodically popping up on their devices.

The program is a Trojan, set to execute three actions. First, it downloads an EXE file to generate a unique UUID, second it downloads a Cydia Substrate tweak to steal the user’s ID and password, and third, it downloads a utility to login to the App Store and buy apps.

What can you do to defend against this? As usual, we recommend staying away from unknown or “shady” repositories that often carry pirated tweaks. You can also check your device (using iFile, iExplorer or other software) to see if it contains any of the AppBuyer files:

  • /System/Library/LaunchDaemons/com.archive.plist
  • /bin/updatesrv
  • /tmp/updatesrv.log
  • /etc/uuid
  • /Library/MobileSubstrate/DynamicLibraries/aid.dylib
  • /usr/bin/gzip

Palo Alto Networks says that since it hasn’t figured out how AppBuyer is loaded onto devices, deleting these files may not solve the problem completely. It does say, however, that it is working on ways to block the app, including the use of custom URL, DNS and IPS signatures.

This isn’t the first time we’ve heard of malware making its way onto jailbroken devices. In August we told you about AdThief, a program designed to steal ad impressions, and earlier this year we reported on Unflod, a malicious app designed to steal Apple IDs and passwords.

[Palo Alto Networks via r/jailbreak]

  • I knew this was coming one day, good thing I stay away from pirated apps and tweaks. Thanks for the heads up.

    • Der Faust

      yep
      :)…. always the right plan 🙂

    • vergilvsdant

      always support the developer

      • Will proudly do that if the software is priced right (which most Cydia tweaks are), when there’s a quick and easy way to return unsatisfying stuff, and the developer always has great customer service. If either of the above is missing, will proudly pirate it and will buy it if it’s satisfying and priced right…

      • BoardDWorld

        I don’t believe you need to pirate to try. On a few occasions (voice translation apps for example) I haven’t liked it or felt it was more than a gimmick. I just went to my purchase history and applied for a refund in iTunes. I have been refunded on 4 apps, never been told that I couldn’t get a refund. Just a reply to say I have been refunded. In regards to trying before buying, iOS is that popular you just bring up a youtube video on virtually any app to get a good feel for it’s interface and function & check out their ratings on iTunes.

      • I’ve come across dozens of apps that had great user ratings and blog reviews (including the ones here on iDB) yet were BS to me, one being the Avengers, which was yet another freemium BS. I prefer to have my questions/concerns answered by the devs and do the testing myself.

        If that isn’t doable, then screw the dev. Software is already of low value to me (work once, sell it hundreds of times) compared to hardware (work once, sell it once). Combining that low value with terrible customer service will not be supported by me.

    • BoardDWorld

      There are occasions that it is sort of acceptable. I really needed an app Dynolicious Classic, it disappeared from the app store sometime in the last 3 weeks. It’s likely the devs dropped it because they want to force their more expensive Dynolicious Fusion which is extremely buggy & doesn’t support 3GS. I need to use it on 3GS because the iphone/app is being placed in extreme conditions. Anyway time to check out the 3GS, thanks for the heads up iDB

      Edit: Can it do this if you’ve change your root & user password?

  • Der Faust

    just stay away from the shadows and you’ll be fine 🙂

  • R4

    Time for someone to step up and make an antivirus? Probably. But this could easily be avoided by not pirating. Now how do they reduce piracy? By adding more ways to pay in Cydia. Eg, by adding Paysafecard even a 10 year old could just walk to a corner shop and buy a code which will let him or her buy 5 tweaks. And then there are crypto currencies to consider.

  • Jonathan

    I don’t have a single pirated tweak/app, so I’m not the least bit worried.

    • Same here. I didn’t even bother checking if I was affected.

      • Light

        Not even out of curiosity? Lol

      • CAS

        I don’t have any pirate repos or tweaks (I leave that long time ago) but I still check just for security

      • shar

        that is called false sense of security, specially that the people who found this still don’t know its origins (that could also mean, they might have observed it in devices without shady tweaks), it is always better to be safe than sorry, though I don’t know what constitutes being safe in this case.

  • QP

    Demo apps, or a way to test them before to buy, that’s the keys to avoid jb.

  • jgr627

    Another nasty image for those that jailbrake. #LongLiveStockiOS

    • regkilla

      No.

    • Cristian Bustillo

      Stop

    • ✯Mike✯

      That was absurd

    • Brian May

      But here you are, on a primarily jailbreak news related site. Were you waiting for this just so you could say that? #LongLivePeopleWhoCanSpell. Back to iMore you go

      • jgr627

        So I misspelled one word, crucify me. That still doesn’t take away from the fact that a stock iOS is more secure then a iOS that is running Cydia. You mad or nah?

      • Donovan

        More secure, less fun.

    • ins0mniac1

      What’s a “jailbrake”?

      • jgr627

        Jailbrake, jailbroke, jail brake or jail broke? What’s a ins0mniac1?

      • Brian Brown

        lol

  • Nex

    Glad to know that I couldn’t find those files!

  • Jonathan

    Piracy people are gonna paaaayyyyy…literally.

  • Warmachine69

    I don’t get the point of “shady” repo’s if you can just download the real deb file off the internet

    • Brian Brown

      But where? I only gotten a status bar tweak from off a devs site

  • Eikast

    Speak of the irony. Pirates having things purchased on their behalf. Karma is a b****

    • jack

      ppl have being enjoying free paid apps and free IAP for years… I don’t think your karma BS will ever pay off

    • White Michael Jackson

      LMAO i have been pirating since the iphone 3gs, still haven’t “paid” for it. Karma is my friend.

  • JayWill

    It’s always has to be one bad apple! (No pun intended) #getalife

  • Rowan09

    This is why Apple doesn’t allow jailbreaking my friends. I love jailbreaking, but it’s always at the users own risked. Damn it, I hate when people do things like this.

    • I wouldn’t mind not having a jailbroken device if I could customize it to my liking. Unfortunately we can only do it after the Jailbreak.

      • Rowan09

        All I need is safari upload enabler, iFile, unlimtones and I’m good to go.

      • blu

        and you find those where?
        That is the point, apple does not allow some things that users want, and Jailbreaking allows it. You will always have those that take a good thing and ruin it.

      • Rowan09

        I’m for jailbreaking. I’m just naming things I would like for me to not care for jailbreaking as much. If Apple added these things, I will not need to jailbreak my phone.

      • blu

        gotcha.
        Apple is slowly adding jailbreak items, but some things I don’t think they will allow (like iFile).

      • truth

        f.lux…

        look it up if u dont have it anywhere.

      • Rowan09

        What are you talking about? I have my phone jailbroken with these tweaks.

      • Guest

        Stock iOS is garbage. I’m with you.

      • Every company has there own faults but IMO after the years of repairing them I still see it as Apples design stands out the most as being great inside and out. Although I’m not a fan of the limited stock OS I know they keep it that way for a reason.

  • CS

    I only use well-known big boss packages so I’m fine. As for jailbreaking, the only real reason I still do it is so I can save snapchats easily and the stock app sizes are just way too big for me. App icons look smaller on the new iPhone 6 compared to other iPhones, and there are apps on the AppStore that make it sort of easy to save snaps. So I’m really running out of reason to jailbreak-especially with all the security issues that come with jb

  • Adithya Sairam

    Gzip should be safe…

    • Keith S.

      It’s normally installed to /bin, however. This is probably one of very few tweaks that installs it here instead (probably an oversight)

      • Brian Brown

        Oh okay, I saw that file in /usr/bin and didn’t know what to think lol

  • CAS

    I’m safe, phew.

  • jack

    “steals” so we can’t use it anymore ?

  • Matt

    Well I got only 7 cents left in there xD so they won’t be buying anything.. But I don’t pirate my tweaks… So I think I’m set, but I’ll check to be 110%
    Thanks for the info.

  • Renz

    Don’t see the point. I pirate all my shiit and I don’t even have any credit detais on my apple id. I use App Addict or something if I need a paid app. XSellize and insanelyi is fine. Although xsellize seems to be dead these days.

  • n0ahcruz3

    I wont jailbreak my i6 anymore but i’ll probably buy itouch 5gen for jailbreaking purposes and goodies ;P

  • Marcus

    My iPhone 5s hasn’t been infected with Unflod, AdThief, or AppBuyer 😀 I’m so glad that I buy my tweaks and don’t pirate anything.

  • Brian Brown

    What about the file “gpg-zip” in /usr/bin/ ?

    Or is that customarially apart of my device?

  • HamptonWalley

    It is better not jailbraking the devices anymore. I especially thinking for the new iphone 6 phones, which even will contain our credit cards information too.

  • White Michael Jackson

    More than half of my tweaks are pirated and i dont even see these files.

  • Kurt

    I’m clean.

  • Yuri Medeiros

    Does anyone know what’s the wifi theme/tweak used in the picture?

  • Diego

    what theme is that ? I like it can you please tell me