New iOS malware with a funky name: “Unflod Baby Panda”

You may have heard mention, over the past few days, of some curiously-named new iOS malware.

You’ll hear it called Unflod, because of the name of the file in which it was found, as well as Baby Panda.

The company that refers to it as Baby Panda offers a possible explanation for the name “Unflod,” suggesting a deliberate misspelling of a non-malicious utility known as “Unfold.”

The reason for the name Baby Panda, however, remains a mystery.

The good news is you aren’t very likely to come across it.

Firstly, the malicious file can only affect jailbroken devices, and SophosLabs hasn’t had any reports of “in the wild” infections yet.

Secondly, it sounds as though even Reddit users who have gone looking for the source of the file haven’t tracked it down yet.

Of course, that means no-one can yet say which software package from what unofficial repository is likely to initiate an infection.

But the difficulty of tracking down the source of the malware also suggests that you’re unlikely to encounter it unexpectedly.

Here’s what we think we know so far. (Thanks to Xinran Wu of SophosLabs for the reversing work you see below.)

Uses Mobile Substrate to modify system behaviour

The infected file relies on add-on functionality, commonly available on jailbroken devices, known as Cydia Substrate or Mobile Substrate.

This “substrate” allows you to extend and to modify the behaviour of iOS in ways that are deliberately prohibited by Apple on unjailbroken devices, such as by hooking, or intercepting, system functions to make them do new and interesting (though sadly also perhaps dangerous) things.

→ Ironically, this sort of hook would make a reliable real-time anti-virus solution possible by allowing you to scrutinise and block files before they loaded. But it opens the door to bad as well as good, as this malware shows.

If you want to install system hooks via Cydia Substrate, you can compile them into a dynamic library and place it in this directory:


That’s where the malicious Unflod.dylib has apparently been seen.

Hooks the SSLWrite function

When loaded and initialised, the Unflod library hooks the SSLWrite function, used when sending encrpyted data over a secure connection.

That means the malware gets to peek at confidential data before it is encrypted for transmission.

The malware’s SSLWrite hook is named, uninventively if unsurprisingly, replace_SSLWrite, and it:

• Watches out for web requests with URIs containing the text /WebObjects/​MZFinance.woa/​wa/​authenticate, which is sign that some sort of Apple authentication is about to happen.

• Watches out for the presence of AppleID credential data.

• Uploads credential data it finds to one of two hardcoded IP addresses.

The malicious Unflod.dylib file is digitally signed with an Apple-issued developer’s signature, for what that’s worth.

What to do?

If you haven’t jailbroken your iOS device, you don’t need to worry.

If you are a jailbreaker and you have been circumspect in what you choose to install, you probably don’t need to worry.

Nevertheless, just in case, Sophos products detect this malware as iPh/PWS-CFX.

Of course, because a proper anti-virus isn’t possible on an unjailbroken iOS device (though, by the same token, malware is in general very unlikely on such devices), there isn’t such a thing as Sophos Anti-Virus for iOS.

So, if you want to scan your iPhone or iPad, you’ll need to install software that lets you access the files on iDevice remotely so you can scan them with an anti-virus on your desktop or laptop computer.

And to do that you’ll need to jailbreak your iDevice…

PS. If you allow remote access to your iDevice by installing the SSH daemon, don’t forget that Apple gives the accounts root and mobile the same password on all iDevices (it’s “alpine”, and yes, hard-wired passwords are a terrible idea). So if you enable sshd, you must change the password on those accounts, as explained here.