Lock Saver Free Trojan ModMyi

Talk about bad timing. Just after I posted about how jailbreaking was relatively safe, here comes news of a trojan that slipped through ModMyi’s review process.

The tweak in question, Lock Saver Free, is a tweak that we featured in our new tweaks of the week video last night. Lock Saver Free was published by developer dmarinov, and is unfortunately still available for download on ModMyi as of this post.

Needless to say, it’s highly recommended that you avoid Lock Saver Free at all costs. I actually had it installed on my test iPhone, and confirmed that it did indeed embed a trojan in my /Library/MobileSubstrate/DynamicLibraries/ directory.

If you installed Lock Saver Free, you should immediately uninstall the tweak and navigate to /Library/MobileSubstrate/DynamicLibraries/ and delete the two offending files: Service.dylib and Service.plist. Even if you uninstall the tweak, it will still leave those two files behind, so you’ll have to manually delete them.

As developer Allan Kerr explains, because the tweak downloaded Service.dylib at runtime it made /Library/MobileSubstrate/DynamicLibraries/ writeable to all users. The /Library/MobileSubstrate/DynamicLibraries/ directory should have the permissions 755, but due to this tweak, the permissions are changed to 777, which means writable for all users and groups.

The permissions for /Library/MobileSubstrate/DynamicLibraries/ should be changed back to 755 to prevent processes from adding files to this directory.

0755 iFile

Use iFile to ensure your DynamicLibraries directory is set to 755 like above

I personally confirmed that the trojan looked to try to hijack Google ads, most likely with the aim of padding the offender’s ad revenue. It linked to a site with a TLD assigned to the country of Bulgaria, and contained Bulgarian text.

It’s very rare for a tweak like this to slip through the cracks like this, and it’s very surprising that ModMyi still has not removed the offending tweak. I’ve only seen this a handful of times in the 5+ years I’ve been jailbreaking. It’s unfortunate, especially given the timing, but it is what it is.

At any rate, if you happened to download this package, you’ll need to take the steps outlined above to remove the trojan.

What do you think? We’ll have more information about this issue as it becomes available.

  • Dylan33x

    something didn’t seem right about the tweak, and although it was appealing, i resisted installing it. Glad i did!

    • nyangejr

      Me too, I read the description then just pass it on, powersaver is still fine with me

  • Bugs Bunnay

    I think all is fine.

  • MunnySwirl

    This has to be a first?

    • RarestName

      Have you not heard of Unflod?

      • Mr_Coldharbour

        But wasn’t Unflod “Baby Panda” a different kind of malware? What this Trojan found embedded within this tweak seems to do is just steal potential ad revenue from Google, whereas Unflod caused many apps to crash and also stole Apple ID credentials (IDs and passwords). If anything this is more similar to the “AdThief” malware of late 2014 (early 2015?) which also hijacked ad revenue on jailbroken devices.

  • Very sad that there are people like this.

  • Harris Rap

    Does it affect the paid version also?

  • Zzyzxd

    The developer submitted free version and paid version with two different accounts. I am wondering when will ModMyi pull the free version? Will they do anything to the paid version if it is clean?

    • Anonymous

      If the dev is gonna pull something shady like this why would you even keep the paid version? Plus you can check using iflie.

  • DopamineAddicted

    Awesome the way you stay on top of these things. Great job

  • Sheyenne

    Is there any way to know if you already have tweaks with viruses etc.? I didnt even know this was possible

    • 5723alex .

      Everything is possible with a JB iOS.
      You can check your installed apps with Bitdefender’s Clueful app.

  • Tim Liu

    The files in the DynamicLibraries is actually are shortcut link to the actual file in /var/mobile/Library/Preferences/
    Delete those two files as well.

  • Blip dude

    So sorta side-topic questions: If I decide to restore to factory settings, will get also get rid of the Trojan, or will it somehow get left behind as well??

    • Shingo

      as long as u do not restore from backup its ok

    • Chris

      Now that Cydia Impactor is here, I would recommend you use that as it will remove _everything_ from your device.

  • tunutsaigon

    After reading the description of this tweak days ago, I immediately think why install it when Activator can do that? So Activator + Rubik = Best combo ever… 😉

  • :D

    Someone should come up with some antivirus / virus scanner software for iDevices

  • Mr_Coldharbour

    Glad I didn’t install this tweak, not that I needed to anyway. But this trojan, aside from hijacking potential ad revenue that Google was due to make, how does this affect the user who installed this tweak? What are the negative side-effects? Any instability, key-logging, etc.? According to the article, the only loser in this is Google, and so long as this doesn’t affect the end-user, all is well. But still don’t install the tweak.

  • Dharam

    I installed it just to try it, didn’t really think it was that great so uninstalled it soon after and I don’t have the service files stated above and my permissions are still set to 755 so does that mean my phone is fine?

  • Manuel Molina

    After reading this, I started wondering if there’s other tweaks out there that are like that. Has anyone emailed anyone on cydia to get the shit taken down?

    • Andy Copeland

      Cydia doesn’t host anything itself, think of it as a web browser. You wouldn’t contact Google Chrome because Facebook was showing porn videos. It is all handled by the individual repos which control what is hosts and what is not.

  • Kyle Matthews

    (We’re removing this now!)

    • Manuel Molina

      Does this include the paid one as well? I do see the free one is completely removed.

    • Mr_Coldharbour

      The paid version is still on Cydia’s BigBoss repo. I guess Optimo doesn’t care.

  • nonchalont

    Thanks for the update Jeff. I won’t be installing that tweak.

  • Guy

    So glad I never installed it

  • Mark S

    Great job catching and reporting on this. Can’t catch these fast enough.

  • The_Kingfish

    Lock Saver Free removed from modmyi repo. Paid version is still on BigBoss. Does the paid version have the trojan too? Maybe someone can grab it from one of the “other” repos (you know which ones) and take a look at it and report back. That way the dev who gave us a trojan can have both of his tweaks pulled.

    • Mr_Coldharbour

      Still on BigBoss repo, checked a minute ago.

  • This Guy

    Ok so the guy is trying to get revenue from ads…besides that… does it actually do something bad? Can you not just change the permissions and leave it at that?

  • A’s Network

    No, it was unflod, not unfold.

  • Pokie Peaches

    I actually downloaded the tweak and uninstalled it after reading this post.
    And yeah it did made /Library/MobileSubstrate/DynamicLibraries/ writeable to all users and groups donno what that means buh I’m guessing its bad. So i followed the steps to change it.

  • Mr_Coldharbour

    Not a virus, there are no iPhone “viruses”, it’s a malware. There’s a distinction between the two.

    • I actually don’t know the difference so don’t judge me

      • Mr_Coldharbour

        Not judging you, don’t take offence to it. A virus can be designed to destroy data and systems through the replication of malicious code. Whereas a malware can be designed to steal information and data. This is the most simplistic explanation. Again, I wasn’t judging, relax.

      • Well thanks for explaining that 🙂

      • Mr_Coldharbour

        No worries mate, glad I could help.

  • Anthony

    So happy i don’t even use this tweak so i’m good

  • Jason Douglas Haas

    Can you make a tutorial for this? I can’t find the directory in iFile.

  • mav3rick

    /Library/MobileSubstrate/DynamicLibraries/Service.dylib, Service.plist
    are only the symlinks.

    Files to be deleted, too, are:
    /var/mobile/Library/Preferences/Service.dylib, Service.plist

  • That Guy In The Corner

    This tweak actually broke 4g on my phone
    Even restoring didn’t fix it until I could use IOS 8
    I already knew to steer clear of this piece of shit

  • Revvin4Se7en

    Lawl how about the cracked version?