A new malware targeting jailbroken devices has been discovered by Reddit users. While very little is known about the malware itself, Cydia creator saurik has released instructions on how to find out if your jailbroken device has been affected.
According to Reddit user minilover11, the purpose of "Unflod" is to steal Apple IDs and passwords. German security consulting firm SektionEins also took a look at the problem and this is what they found:
"This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections. From these connections it tries to steal the device’s Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers."
Unflod seems to be affecting devices that downloaded something from a "non-default repository" aka pirate repos. You should still check your device even if you did not install any pirated repos because it is unclear exactly where the malware is coming from.
Here's how to check if you've been affected by Unflod, according to saurik:
1. You will need a way to access your filesystem. Saurik suggests using iFile. You can download the iFile app for free from Cydia.
2. Navigate to /Library/MobileSubstrate/DynamicLibraries/
3. If you see any files named Unflod.dylib or Unflod.plist then you have been affected.
To delete the file navigate to /Library/MobileSubstrate/DynamicLibraries/Unflod.dylib. However, it is unknown if this is the only place the Unflod malware has been installed so removing these files may not solve the problem. The best way to protect your device is to totally restore it, but of course this will cause you to loose your jailbreak.
You can read more about Unflod here.