New iOS malware highlights threat to Apple mobile devices

New malware is stealing Apple ID credentials from jailbroken iPhones and iPads, warn security researchers

A newly-discovered malware dubbed  Unflod Baby Panda is stealing Apple ID credentials from jailbroken iPhones and iPads, warn security researchers.

Unflod hooks into the SSLWrite function of an infected device's security framework, according to a blog post by German security firm SektionEins.

The malware is designed to listen for outgoing connections. Once it recognises an Apple ID and password, it sends these unencrypted IDs and passwords to the cyber criminals behind the malware.

The Unflod malware also highlights the risks of installing unknown apps on jailbroken iPhones.

Reports of the malware targeting Apple iOS emerged in posts on reddit by iOS users hit by repeated system crashes after installing iOS customisations that were not part of the official Cydia market.

A developer for the Cydia market, an alternative to the Apple App Store, has responded to news by in a reddit comment, saying that the probability of Unflod coming from a default Cydia repository is fairly low.

More on mobile malware

However, he added: "I don't recommend people go adding random URLs to Cydia and downloading random software from untrusted people any more than I recommend opening the .exe files you receive by email on your desktop computer".

The origin and source of the malware is still unknown, which means no one can yet say which software package from what unofficial repository is likely to initiate an infection, according to security firm Sophos.

The infected file relies on add-on functionality, commonly available on jailbroken devices, known as Cydia Substrate or Mobile Substrate, the firm’s Paul Ducklin wrote in a blog post.

This "substrate" allows users to extend and modify the behaviour of iOS in ways that are deliberately prohibited by Apple on devices that have not been jailbroken.

However, Ducklin said the threat is limited because the malware can affect only jailbroken devices and SophosLabs has not had any report of “in the wild” infections.

“If you haven't jailbroken your iOS device, you don't need to worry.

“If you are a jailbreaker and you have been circumspect in what you choose to install, you probably don't need to worry,” Ducklin wrote.

The malicious code only works only on 32-bit versions of jailbroken iOS devices, according to SektionEins.

There is no ARM 64-bit version of the code, which means the malware should never be successful on the iPhone 5S, iPad Air or iPad mini 2G, the firm told ArsTechnica.

SektionEins recommends that anyone affected by the malware should restore the device and change their Apple ID and password as soon as possible.

Read more on Endpoint security