iOS jailbreak malware stole 225,000 Apple IDs across 18 countries, but it’s unlikely you’re at risk


Researchers from Palo Alto Networks have discovered that a piece of iOS malware successfully stole more than 225,000 Apple IDs and passwords from jailbroken phones, using them to make purchases from the official App Store. The malware, dubbed KeyRaider, also has the ability to remotely lock jailbroken iOS devices in order to hold them to ransom.

These two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by users. The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.

However, it’s extremely unlikely that you’re at risk: the malware can only run on jailbroken devices, and appears to spread through only one set of Cydia repositories, run by Weiphone.

The malware was used in two tweaks that allow those running them to download paid apps and make in-app purchases from Apple’s official App Store without payment. The tweaks used the stolen credentials to make the purchases.

If you think your iPhone or iPad may be at risk, Palo Alto Networks has provided the following instructions to detect and remove the malware. Further details over at the company’s lengthy blog entry.

Users can use the following method to determine by themselves whether their iOS devices was infected:

  1. Install openssh server through Cydia
  2. Connect to the device through SSH
  3. Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory:
  • wushidou
  • gotoip4
  • bamu
  • getHanzi

If any dylib file contains any one of these strings, we urge users to delete it and delete the plist file with the same filename, then reboot the device.

We also suggest all affected users change their Apple account password after removing the malware, and enable two-factor verifications for Apple IDs.

The company also notes that not jailbreaking iOS devices is the only way to protect against such exploitation.

Via Re/code

Author Ad Placeholder
Will only appear on redesign env.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel


  1. usmansaghir - 7 years ago

    I have a jailbroken iPad. I have been trying to chane my itunes password. But keeps showing up with an error with the following messing.
    “Cannot connect to icloud ”
    Anyone else have this problem?

    • Howie Isaacks - 7 years ago

      There’s a simple fix. STOP JAILBREAKING! You deserve this problem.

      • rahhbriley - 7 years ago

        Man that’s sad you break it down like that. Maybe you do have some experience with JB’ing but that statement sounds quite ignorant. Jailbreaking is so much more than malware (or piracy). You can choose to focus on it like that, but it’s a small portion of jailbreaking.

        There are risks and it is not for everyone. No one affected by this malware has a right to b*tch about it, but that doesn’t mean that your hostile response is any more reasonable.

        The jailbreaking community has lead to new features, some you likely take advantage of, including the Appstore itself. Get off your high-horse. If you’d like to engage in a thoughtful discussion about the pros and cons of jailbreaking, I’ll gladly have that exchange. But take your fallacies and ignorant spouting else where.

      • Howie Isaacks - 7 years ago

        You’re ignorant if you think jailbreaking is safe. The “community” is full of idiots.

    • PhilBoogie - 7 years ago

      Turn WiFi off and try again over cellular. If not, try logging out, and back in.

  2. This once again confirms what I always say – do not jailbreak.

    • marsontherocks - 7 years ago

      No, it confirms that a certain tweak (that the jailbreaking community warns against using) is stealing information. Jailbreaking in it self is not doing this. But since you have this conclusion by reading this article, you should refuse jailbreaking, as you don’t seem to understand what it’s all about.

      • lincolnsills - 7 years ago

        Not tweaks…malicious repositories meant to steal developers work.
        Christ not one person here understands what they vehemently are saying.

      • Howie Isaacks - 7 years ago

        Nope. It confirms that you shouldn’t jailbreak. There is no feature that merits putting yourself at risk. As an I.T. service provider, I refuse to support jailbroke iOS devices. I don’t want them on my networks, and I will refuse to modify my servers to fix problems experienced by jailbreakers. Screw the “community”.

      • lincolnsills - 7 years ago

        You are completely wrong. Jay Freeman, the creator of Cydia, is one of the biggest supporters trying to abolish the heinous Digital Millennium Copyright Act. Put down your incorrect prejudges assumptions about a subject you clearly don’t understand. You don’t have to modify any server for a jailbroken device… you are simply lying.
        Do some research:

  3. lincolnsills - 7 years ago

    If you are in the U.S. this only applies if you:
    A) Installed malicious repositories, the same ones Cydia warns you about installing.
    B) Actively went looking for ways to steal apps.
    Don’t let the ignorance of the jailbreaking naysayers keep you from freeing your device. The key developers behind Cydia watch over repositories (servers) that come pre-installed and are incredible vigilant when it comes to malicious code. A jailbroken device can be more secure then one that is stock. While there are pros and cons to jailbreaking its ridiculous to simply say “Don’t do it!” Again, simply jailbreaking your device would NOT allow this to happen.

  4. patthecarnut - 7 years ago

    Great “how to” on fixing this issue. But you also could, I dunno, STOP JAILBREAKING YOUR FREAKIN PHONE!?? There is a REASON for Apple locking it down. I agree you deserve what happens.

  5. mpias3785 - 7 years ago

    If you swim in a sewer, don’t be surprised if you get sick.

  6. jeankadang - 7 years ago

    Hmm – Cant help but to feel a little ‘Schadenfreude’ – Dont know a better english word for it, and i’m not even german…

  7. Want to jailbreak your iPhone? Fine, go right ahead: it’s your phone. If anything goes wrong and you head over to Apple for help, their first action to try to fix it will be to restore to factory settings. Jailbroken iPhones are outside of Apple warranty.

    Next question: why? More ability to customize? Better be very sure that you know how to customize your phone before you undertake this effort. If you do not have clarity around how to do it and how to keep yourself safe (I know I don’t have that understanding), don’t jailbreak!

    • rahhbriley - 7 years ago

      I appreciate your words here. It is not for everyone. Most people shouldn’t go tweak their engines and install upgrades to their cars themselves. But others are perfectly capable and enhances their enjoyment. Both should only be undertaken if you know what you’re doing.

      FYI, as a general rule, you can unjailbreak a phone and then take it to Apple, and they won’t be able to tell it was ever jailbroken. People don’t seem to get that it is entirely software and can be undone. Sometimes is is difficult, but I have always found a way to restore back to factory. Early days, when we were unlocking too. Now that could permantly screw up your phone! I digress.

  8. telosinitiative - 7 years ago

    Jailbreaking is simply a preference. If somebody doesn’t want to jailbreak their idevice, then so be it; if somebody does, so be it. Enough of these judgmental remarks with regards to a preference; individual choice is perogitive based.

    “You should have never bungee jumped. The bungee rope broke, now you’re laying there half dead all because you wanted to defy death…you got what you deserved!”

    Ummmm, inappropriate, right? In the same vein, if anybody want to jailbreak their idevice, every elemental result belongs to them; whether it be bliss or destruction, the end result still belongs to them…let that person enjoy it or regret it.

    With that said…I love Jailbreaking…just because I can!


Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear