In the SAVANTURE Simple Security Review, we provide what you need to know at a summary level and then provide relevant references to more information that might be useful for security and risk professionals.
WHAT IS “Unflod Baby Panda” and WHAT ARE THE IMPACTS:
- The newly identified malware, dubbed Unflod Baby Panda, targets stealing Apple ID credentials from jailbroken iPhones and iPads. In its original form, the malware only affect jailbroken iOS 32bit based iPhone (before the iPhone 5s) and iPads (before iPad 5). Once the malware is installed, it monitors outgoing SSL secure connections and the data within the stream before it is placed in the SSL wrapper searching for your Apple ID and password. Once the user’s credentials are captured, the malware application sends these unencrypted IDs and passwords to the cyber criminals utilizing a China based text relay.
WHAT CAN YOU DO:
- Please note that the date of first known install dates back to February 14th, 2014. Based on research, SAVANTURE believes the simple fix is to delete Unflod.dylib/framework.dylib binary. Obviously, you should immediately change your Apple ID password AFTER you have deleted the malware. We will continue to research the situation to identify if there are further complications or steps you need to take. In addition, since many mobile devices use corporate or home networks via wifi, an additional recommendation is to block outbound activity to IPs 184.108.40.206 and 220.127.116.11 on port 7878; clearly not the best fix but you can block some user traffic and monitor denies to see if you have compromised users.
- With more and more carriers providing unlocked devices, this is only the beginning of what will become an everyday occurrence of mobile platform compromises. SAVANTURE highly recommends not utilizing unlocked devices as they pose incremental risk beyond those inherent to a vendor provided configuration which provides at least basic security protections. Complexity is the is the enemy of security and a jailbroken device is creating an incremental layer of complexity for a mobile device.
- If you need a step-by-step guide for removing the malicious file from your phone, Reddit user SaurikIT has provided detailed instructions here:
- Excellent technical write up by Germany based security firm SektionEins:
- Other Articles:
If you would like to stay up to date on this post, please join us on Facebook at: https://www.facebook.com/savanture.inc