‘AppBuyer’ malware steals Apple IDs and passwords from jailbroken devices

Home screen jailbreak theme status bar

Security research firm Palo Alto Networks reported this weekend about a new iOS malware that’s affecting jailbroken devices. It’s called ‘AppBuyer,’ and it’s programmed to steal a user’s Apple ID and password for the purpose of purchasing apps from the App Store.

It’s not clear exactly how AppBuyer is being installed, but the group says it could be done a number of ways including through a malicious Cydia Substrate tweak or PC jailbreaking utility. Those infected complain of random apps periodically popping up on their devices.

The program is a Trojan, set to execute three actions. First, it downloads an EXE file to generate a unique UUID, second it downloads a Cydia Substrate tweak to steal the user’s ID and password, and third, it downloads a utility to login to the App Store and buy apps.

What can you do to defend against this? As usual, we recommend staying away from unknown or “shady” repositories that often carry pirated tweaks. You can also check your device (using iFile, iExplorer or other software) to see if it contains any of the AppBuyer files:

  • /System/Library/LaunchDaemons/com.archive.plist
  • /bin/updatesrv
  • /tmp/updatesrv.log
  • /etc/uuid
  • /Library/MobileSubstrate/DynamicLibraries/aid.dylib
  • /usr/bin/gzip

Palo Alto Networks says that since it hasn’t figured out how AppBuyer is loaded onto devices, deleting these files may not solve the problem completely. It does say, however, that it is working on ways to block the app, including the use of custom URL, DNS and IPS signatures.

This isn’t the first time we’ve heard of malware making its way onto jailbroken devices. In August we told you about AdThief, a program designed to steal ad impressions, and earlier this year we reported on Unflod, a malicious app designed to steal Apple IDs and passwords.

[Palo Alto Networks via r/jailbreak]