Chinese iOS malware stealing Apple IDs and passwords from jailbroken devices


Security researcher Stefan Esser (via ArsTechnica) has discovered that an issue reported on Reddit as causing crashes on jailbroken iPhones and iPads is actually a piece of malware designed to capture Apple IDs and passwords from infected devices.

This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections. From these connections it tries to steal the device’s Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers.

Early indications are that the source of the malware is likely to have been from a tweak downloaded from somewhere outside of Cydia. Esser has identified that the code only runs on 32-bit devices, meaning that the iPhone 5s, iPad Air and iPad mini with Retina display are safe, while other devices are vulnerable.

The blog post says that the malware is easy to check for, but may not be easy to remove. Using SSH/Terminal, check the path /Library/MobileSubstrate/DynamicLibraries/ for the presence of either Unflod.dylib or framework.dylib.

Currently the jailbreak community believes that deleting the Unflod.dylib/framework.dylib binary and changing the apple-id’s password afterwards is enough to recover from this attack. However it is still unknown how the dynamic library ends up on the device in the first place and therefore it is also unknown if it comes with additional malware gifts.

We therefore believe that the only safe way of removal is a full restore, which means the removal and loss of the jailbreak.

Cydia developer Jay Freeman, aka Saurik, pointed out on Reddit that adding random download URLs to Cydia is as risky as opening attachments received in spam emails.

Author Ad Placeholder
Will only appear on redesign env.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel


  1. Wassim Jabi - 9 years ago

    This is one of the reasons I never feel compelled to jailbreak my iOS devices. The “walled garden” may be limiting, but it also protects you. If I wanted all this headache that comes with flexibility, I would go for Android rather than jailbreak an iOS device.

    • Tim Jr. - 9 years ago

      Exactly my view…

      • Lincoln Sills - 9 years ago

        This doesn’t happen simply from jailbreaking your device just as having an email inbox on your computer don’t infect your computer. My jailbroken device has more security with added firewall and privacy protections. Remember the SSL problem, the jailbreak community had it patched the same day. You don’t have to jailbreak your iDevice but understand that it adds security and much needed functionality. In order to get an option to download something like this malware one would have to install a 3rd party repository then select an option saying that even though it is NOT recommended you still do want to add the repository. Chances are it is on a server full of cracked apps so nothing an honest user has to even think about. The jailbreak community is as safe as the Apple App Store and has been for the last 6 years thanks to Saurik and others like him.

  2. Chris Denny (@dennyc69) - 9 years ago

    :”I have no sympathy for anyone who jailbreaks their device just to get a few more features or apps. If you jailbroke your phone and got nailed by the malware, then you got what you asked for. There are reasons Apple locks down the phone, and this is one of them. If you like getting into the guts of the phone to make these kind of changes, then you should switch to Android, it’s made to do that.

    • You obviously have absolutely no idea what you are talking about! The mere process of jailbreaking your phone wouldn’t cause you to be infected by this. You would have to manually add an unsafe repository, agree to the warning that it is unsafe and then download a dodgy tweak. Please do a bit of research next time before letting your uninformed fingers loose on the keyboard

  3. o0smoothies0o - 9 years ago

    All I can say is that I pray that anyone who changed their theme after jail breaking gets this. Simply because I’ve seen the themes people use and they are so stupid and have such poor taste that they deserve it.

    • frankman91 - 9 years ago

      You are of the opinion that because you don’t like the theme someone added to their phone that they deserve their passwords to be stolen.

      You sir, are miserable and sad.

      • o0smoothies0o - 9 years ago

        Sorry actually just people who change their themes to something ungodly hideous, and then proceed to complain about iOS 7’s look, which is ten trillion times superior, then that of the theme and iOS. 6.

      • *THAN that


Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear