New iOS malware with a funky name: "Unflod Baby Panda"

Filed Under: Apple, Featured, iOS, Malware

You may have heard mention, over the past few days, of some curiously-named new iOS malware.

You'll hear it called Unflod, because of the name of the file in which it was found, as well as Baby Panda.

The company that refers to it as Baby Panda offers a possible explanation for the name "Unflod," suggesting a deliberate misspelling of a non-malicious utility known as "Unfold."

The reason for the name Baby Panda, however, remains a mystery.

The good news is you aren't very likely to come across it.

Firstly, the malicious file can only affect jailbroken devices, and SophosLabs hasn't had any reports of "in the wild" infections yet.

Secondly, it sounds as though even Reddit users who have gone looking for the source of the file haven't tracked it down yet.

Of course, that means no-one can yet say which software package from what unofficial repository is likely to initiate an infection.

But the difficulty of tracking down the source of the malware also suggests that you're unlikely to encounter it unexpectedly.

Here's what we think we know so far. (Thanks to Xinran Wu of SophosLabs for the reversing work you see below.)

Uses Mobile Substrate to modify system behaviour

The infected file relies on add-on functionality, commonly available on jailbroken devices, known as Cydia Substrate or Mobile Substrate.

This "substrate" allows you to extend and to modify the behaviour of iOS in ways that are deliberately prohibited by Apple on unjailbroken devices, such as by hooking, or intercepting, system functions to make them do new and interesting (though sadly also perhaps dangerous) things.

→ Ironically, this sort of hook would make a reliable real-time anti-virus solution possible by allowing you to scrutinise and block files before they loaded. But it opens the door to bad as well as good, as this malware shows.

If you want to install system hooks via Cydia Substrate, you can compile them into a dynamic library and place it in this directory:


That's where the malicious Unflod.dylib has apparently been seen.

Hooks the SSLWrite function

When loaded and initialised, the Unflod library hooks the SSLWrite function, used when sending encrpyted data over a secure connection.

That means the malware gets to peek at confidential data before it is encryption for transmission.

The malware's SSLWrite hook is named, uninventively if unsurprisingly, replace_SSLWrite, and it:

• Watches out for web requests with URIs containing the text /WebObjects/​MZFinance.woa/​wa/​authenticate, which is sign that some sort of Apple authentication is about to happen.

• Watches out for the presence of AppleID credential data.

• Uploads credential data it finds to one of two hardcoded IP addresses.

The malicious Unflod.dylib file is digitally signed with an Apple-issued developer's signature, for what that's worth.

What to do?

If you haven't jailbroken your iOS device, you don't need to worry.

If you are a jailbreaker and you have been circumspect in what you choose to install, you probably don't need to worry.

Nevertheless, just in case, Sophos products detect this malware as iPh/PWS-CFX.

Of course, because a proper anti-virus isn't possible on an unjailbroken iOS device (though, by the same token, malware is in general very unlikely on such devices), there isn't such a thing as Sophos Anti-Virus for iOS.

So, if you want to scan your iPhone or iPad, you'll need to install software that lets you access the files on iDevice remotely so you can scan them with an anti-virus on your desktop or laptop computer.

And to do that you'll need to jailbreak your iDevice...

PS. If you allow remote access to your iDevice by installing the SSH daemon, don't forget that Apple gives the accounts root and mobile the same password on all iDevices (it's "alpine", and yes, hard-wired passwords are a terrible idea). So if you enable sshd, you must change the password on those accounts, as explained here.

, , , , , , ,

You might like

6 Responses to New iOS malware with a funky name: "Unflod Baby Panda"

  1. Andrew Ludgate · 533 days ago

    One comment...
    "So, if you want to scan your iPhone or iPad, you'll need to install software that lets you mount your iDevice as a USB drive and scan it from your desktop or laptop computer."

    As far as I know, there is no software that will let you do this. There are two apps for jailbroken devices that will let you create a virtual drive file on your iOS device that shows up as a USB mass storage device, and a plethora of apps that will let you share files through iTunes. There are also a few Mac and Windows apps that will let you access the filesystem on your iOS device (the Mobile folder for "clean" iOS devices, and the entire storage for jailbroken devices).

    In order to access the files in a manner that can be scanned by an AV scanner however, you need to either use a Cydia hack that backs up all files through iTunes (you'd need to disable encryption of the backups), or use SSHFUSE on your computer (it's a plugin for OSXFUSE on OS X) and install sshd on your jailbroken iOS device (remember to change the default passwords from alpine -- see -- after which you can mount your device as a virtual network disk. One other option is to install netatalk on a jailbroken device -- this makes the iOS device show up as an AppleTalk share on the local network.

    But not only do these methods require you to jailbreak your device, they also require you to open up password-based network file access to your device. This means that you've got yet another layer of security to worry about....

    • Paul Ducklin · 533 days ago

      Thanks for the clarification.

      I'll just change "mount as USB" to "access files remotely." And remind people that if you enable ssh access to your device, you need to change those hard-wired Apple passwords.

  2. Ben · 533 days ago

    The "Baby Panda" name isn't a mystery - it was made-up by Stefan Esser on Twitter.

    • Paul Ducklin · 533 days ago

      That makes it yet more mysterious.

      Was he trying to "out-heartbleed" heartbleed :-)

  3. Joshua Gambrill · 532 days ago

    You'll hear it called Unflod, because of the name of the file in which is was found

    Bad English is was found in this document (sorry to be that guy, thanks for the detailed analysis)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog