DylibSearch ok

DylibSearch is a new jailbreak app that helps you quickly check to see if you have any known malicious tweaks, like KeyRaider, installed on your device. It does so by scanning the contents of the .dylib files contained in the filesystem’s MobileSubstrate directory.

By checking for known strings contained in malicious files, DylibSearch can quickly tell you if your iPhone is infected, or if it has a clean bill of health. This open source tweak is available by means of a special third-party repo, which you’ll find inside of this post.

DylibSearch

To install DylibSearch, add the following repo to your Cydia sources:

http://wolfposd.github.io/

After adding the repo, perform a search for DylibSearch, or simply open the repo folder to locate the package directly. After installing DylibSearch, you’ll find a new app icon on your Home screen.

Launch the DylibSearch app, and you’ll see a screen that lists all of the .dylib files found in /Library/MobileSubstrate/DynamicLibraries. Files that have a clean bill of health will have a green check mark next to the name, while infected files will stick out like a sore thumb with a red ‘x’ icon.

DylibSearch will help you identify bad files, but it won’t actually remove them. To do so, you’ll need to use an app like iFile to navigate to the DynamicLibraries folder, and purge the files manually.

The recent KeyRaider attack is one of those that DylibSearch can identify. As you can see from the open source project on GitHub, DylibSearch looks for the following strings in your DynamicLibraries directory:

  • wushidou
  • gotoip4
  • bamu
  • getHanzi

These are strings that are known to be contained in the malicious Cydia Substrate tweaks. Obviously, there are other ways of being able to identify bad jailbreak tweaks, such as using a recursive grep search at the command line, but it really doesn’t get any easier than this tweak.

Although the chance that you’ve been infected is slim none if you live outside of China and you’ve never download shady jailbreak tweaks, this is a good tool for quickly identifying a potential infection, and it’ll probably grow as it’s fleshed out with additional search strings.

Be sure to share your thoughts on the DylibSearch in the comments below.

  • Lemerio P.

    Good tip. Thanks Jeff

  • emmanuel fernandez

    Installed, but I don’t see it on my home screen, even after multiple resprings. come to think of it, iFile isn’t even showing up! Can anyone help?

    • Chris

      Try reinstalling Cydia Substrate, that should hopefully fix it.

      • emmanuel fernandez

        hmm, not working. Cydia keeps crashing. Put into safe mode and reinstalled from there, resprung, nothing changed 🙁

      • Saadarshad

        thanks

      • josher

        I still can’t get it to show up. I don’t have app sync installed and tried reinstalling cydia substrate.

      • emmanuel fernandez

        No app sync, but to you have app sync unified from Karen Pinnaples repo? i had that, removed it, worked!

    • port87

      I’ve noticed that appsync unified has been the culprit of this. try removing and see how your springboard looks after.

      • emmanuel fernandez

        Bro, that was it! I uninstalled Karen’s Appsync Unified, re sprung, and ok and behold, there’s iFile and everything else! Thanks!

      • MAKE $98/HOUR BY GOOGLE JOBS

        $98_per_hour special report!!!!……….After earning an average of 19952 Dollars monthly,I’m finally getting 98 Dollars an hour,just working 4-5 hours daily online….It’s time to take some action and you can join it too.It is simple,dedicated and easy way to get rich.Three weeks from now you will wishyou have started today – I promise!….HERE I STARTED-TAKE A LOOK AT……icv……..
        ================= www.Jobs367.com ☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣☣

  • Danial Hakim

    thanks

  • Saadarshad

    Thanks jeff.

  • Tylor Jackson

    Thanks Jeff! 😀 I just check green everything fine for me

  • MikeIsTheTruth

    Thanks Jeff! Just checked and all green lights here.

  • nfinite

    thanks, everything safe for me..

  • Mr_Coldharbour

    Launched the app and it immediately came all with green checkmarks. Is this so fast that it’s instantaneous? Is it supposed to scan for a little while first? Because mine came all green immediately

    • Wolf Posd

      yeah, its actually reaaally fast. as most dylib files are only a few kilobytes in size, the search is performed while the app is starting

      – the developer

      • Mr_Coldharbour

        I see. Thanks for the feedback, much appreciated!

  • belfastbiker

    How do we know THIS isn’t a malicious tweak?

    • Hi

      because its open source? if there was anything malicious in it someone would have seen it.

      • Chris

        Yep, I went through it the second this post was published, I didn’t find anything to suggest anything malicious was going on.

      • mrgerbik

        I agree but if you think about it, your reasoning is faulty

      • Hi

        I am not saying that because its open source this guarantee that there is nothing malicious about it. But if there was anything it would be found out quickly. If that’s not what you are getting at could you please explain?

    • Patrick Sweeney

      Because it’s on an anonymous 3rd party repo…wait, that’s how the problem started in the first place!

  • Hi

    Nice all green!

  • besrate hogsa

    This was helpful

  • Jamie Howle

    I can’t even get as far as finishing adding the Repo, during “updating sources” it stalls every time and times out eventually, anyone else having this issue? Don’t know if another tweek is interfering. Thanks

  • :D

    Plot twist: DylibSearch plants a malicious file

    • Chris

      Considering the code is available for everyone to see, I highly doubt that.

      • :D

        Haha I was only kidding 😀

    • M2

      I got the joke.

  • Magyar Zsuzsanna

    For AT&T users have trouble unlock their AT&T devices, move check out attt-iphoneunlocking, we can unlock all AT&T closed devices up to date, including the newest 6 and 6PLUS.

  • Craig

    WAEnhancer has a Red Cross, is a delete and empty trash in file enough or should I be worried ?

  • Disqus

    So…avoid sketchy repos if you want to avoid malicious tweaks like this, but go ahead and load this sketchy repo to check for malicious tweaks. Just because Jeff Benjamin says THIS one is ok, doesn’t mean it’s true. What if this tweak is worse than the other thing?

    • Drapnel

      my thoughts. i plan on waiting for some feedback or taking the other action suggested in the article

    • Mr_Coldharbour

      Have you not read a word anyone has said in the comments? The tweak is OPEN-SOURCE. Meaning, the code is OPEN to the public to REVIEW and AUDIT. So if something was wrong with it, someone would spot it! I trust that this clears things up.

      • abhorred

        Yes a source code is available. But are you sure the tweak you just ran, was compiled from that source code?

        Did you compiled and audited the tweak binaries? Likely assume someone already did that just like EVERYBODY else.

        That is the fallacy of OPEN-SOURCE, most people assume someone already did the hard work of auditing for them.

    • Chris

      If you did any kind of checking you would find the compiled source is the same file size as the download on Cydia, download Xcode and check for yourself and don’t be ignorant.

  • Disqus

    All green! Thanks!