New ‘AppBuyer’ malware steals Apple IDs and passwords from jailbroken devices

It looks like that jailbreakers are no more in a safe place... Earlier today security research Palo Alto Networks reported today about a new iOS malware that affects jailbroken iOS devices, stealing users Apple IDs and passwords.. The new malware is called "AppBuyer" and it is programmed to hack Apple IDs and passwords for the purpose of purchasing apps from the App Store.

It’s not clear exactly how AppBuyer is being installed, but the group says it could be done a number of ways including through a malicious Cydia Substrate tweak or PC jailbreaking utility. Those infected complain of random apps periodically popping up on their devices.

AppBuyer is a Trojan program, set to execute three actions. First, it downloads an EXE file to generate a unique UUID, second it downloads a Cydia Substrate tweak to steal the user’s ID and password, and third, it downloads a utility to login to the App Store and buy apps.

What Should I do to keep myself safe ? 

As usual, in such critical situations, we recommend our users to stay away from any suspicious repositories that often carry pirated jailbreak tweaks and unknown packages.. 

You can also check your device (using iFile, iExplorer or other software) to see if it contains any of the AppBuyer files:

• /System/Library/LaunchDaemons/com.archive.plist
• /bin/updatesrv
• /tmp/updatesrv.log
• /etc/uuid
• /Library/MobileSubstrate/DynamicLibraries/aid.dylib
• /usr/bin/gzip

Palo Alto Networks says that since it hasn’t figured out how AppBuyer is loaded onto devices, deleting these files may not solve the problem completely. It does say, however, that it is working on ways to block the app, including the use of custom URL, DNS and IPS signatures.

Once again, we ask you to stay away from any unknown repos and never install pirated tweaks on your device.. 

[Palo Alto Networks via r/jailbreak]

Tweet