SektionEins a security firm did an analysis of the malware and this is what they had to say:
This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections. From these connections it tries to steal the device’s Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers.
We aren’t sure how the malware found its way into jailbroken iOS devices, but this serious security issue may have been installed by Chinese pirate repositories. The malware is signed with an iPhone developer certificate registered under the name Wang Win, which could be a fake account or someones stolen identity.
You can find out if you are infected by this malware by navigating to the following folder using iFile: /Library/MobileSubstrate/DynamicLibraries/ and check if there is a Unflod.dylib library in that location.
Stefan Esser tweeted that users could also run a grep command to check if they’re infected:
“So I guess it would help if those infected by this try to do a “grep -R ‘WANG XIN’ /Applications/” on their systems”
If you do find the dynamic library on your device make sure to delete it right away, change your Apple ID password, and enable two-step verification.
If you have a jailbroken iOS device we advice you to avoid installing repositories from untrusted sources that hos pirated software.