iOS Malware: How to Spot it & How to Get Rid of it

Malware is a big deal, and somehow iOS users (and Mac users) think that their devices can’t get infected with it. Even when they’re jailbroken. That is false.

In this article, we’re going to go over common ways your jailbroken iPhone, iPad or iPod Touch can be injected with malware; how to spot it; and how to get rid of the iOS malware.

Recently, a Reddit user reported that his jailbroken iPhone was being used as part of a botnet. According to SearchSecurity, a botnet is “a collection of internet-connected devices, which may include PCs, servers, mobile devices and internet of things devices that are infected and controlled by a common type of malware.”

So, let’s discuss this. Let’s talk about what can harm your device, how to spot it, and how to get rid of this nasty malware.

How to Get Malware on iOS

Stock iOS is a lot less prone to malware infection than jailbroken devices, but it isn’t impossible. If you are jailbroken, your device has disabled most of the security layers that Apple put in place. This allows for things like SandBox escaping, Privilege Escalation, CodeSign patch, KPP racing and more.

Common ways to get malware on an iOS device (via Reddit):

• Accessing maliciously crafted websites.

We’re talking about iOS, iOS jailbreaking is not only known by us, the ones who use it. Attackers can also take advantage of the fact that people do Jailbreak and they know you will be staying at specific versions.

Knowing which iOS version is currently jailbroken, they can check the vulnerabilities of it which most of them are now known as part of the Security Contents page from Apple, and of course they can exploit those vulnerabilities (that are normally patched in the latest version but still exist in the Jailbroken one).

• Accessing legit websites with malicious ads.

You know those pop-up ads that keep on over-opening without letting you close them and they keep on telling you that your device is infected? Well, some of them can take advantage of the same exploits about which I’ve talked at the first point. If the device is jailbroken, infecting it via such crafted payload is crackers and cheese.

Even in non-jailbroken mode, those ads have various mechanisms able to store / detect your IP address, location, browser type, screen resolution, iOS version, device type, and various other things about your device. Some of them go as nasty as to set tracking cookies to follow your browsing behavior so that they can make their ads more appealing. You don’t have to be Jailbroken for that to happen.

• Downloading Nulled Tweaks.

Free repos providing paid tweaks are of the biggest concern. There are quite a few very known. Of course, not all of these are malware, and if you are careful enough, you won’t simply be struck by a mighty virus. Cydia will usually complain if you add such repos, but it should not let you add them in the first place.

Those who freeboot the paid tweaks usually don’t keep them updated, and there is nothing to stop them from inserting their own compromising code in the tweak. You’re definitely playing with fire if you add such repos.

Now keep in mind that non-pirate repos can turn bad too. There were quite a few trusted developers that are now on the dark side of the iOS development, so just because the repo isn’t flagged as pirate doesn’t mean it is safe. Paying attention to what you install is the bottom line here.

• Side-loading untrusted IPAs.

Now this can be anything, but usually the same thing as on the tweaks situation applies. There are websites providing paid iOS Apps in IPA format for free. There is absolutely nothing that can stop them from injecting malware into the IPAs. If you are jailbroken, you have sandbox escaping, so you basically give that IPA access to the entire system and tell it: “This system is licensed under WTFPL”. Same thing applies to the modified yalu versions that are NOT released along with their source codes. Yalu is by far the WORST application you can carelessly side-load.

The fact that Luca Todesco made it open source has advantages but also has HUGE risks because anyone could recompile the Yalu jailbreak, backdoor it and control your device remotely, steal data from you and so on. Of course, this does not apply to Yalu Dark and Yalu Blue, as those are distributions with open source that anyone can read. I am talking here about “Free 1000 years signed Yalu jailbreak” websites with suspicious Chinese certificates that for some reason, major YouTubers are promoting.

How do I know if my device is infected?

Now that you know some of the most common ways of getting malware on your iPhone, let’s discuss how you can tell if your device is already infected.

Here are some quick bullet points that you can use to determine if your device is infected.

• Your battery drains way faster than usual, with apparently no serious use.
• Your storage free space fluctuates significantly.
• Your internet connection is slower than usual with no apparent reason and no downloads that bottleneck your connection.
• You have strange processes active on the device (use TOP to check the active processes).
• The device becomes hot without apparent reason (due to high resources usage in the background).
• General slowdown of the device.
• You have unknown apps you haven’t installed.
• Your ISP complains about your internet activity.
• Random reboots (may also be due to Yalu being unstable).
• You have strange files created as root (Check in Filza).
• In some cases you can’t access anti-malware vendors websites.
• Sign in attempts from remote location in the accounts you’re logged in on the device.

How to remove iOS malware & protect yourself

Now, if you have determined that you are in fact infected with malware, here is what you need to do.

First, here are some quick bullet points you need to skim through and take note of. Below the bullet points is a guide to removing malware.

• Change your ROOT password from “alpine” to anything else. Instructions available in Cydia.
• Disconnect all other devices from WiFi, connect your PC via Ethernet cable and leave only the infected device connected to WiFi then monitor its incoming and outgoing traffic with a network sniffer (like WireShark). Look for suspicious packets (requests to access websites / endpoints that should not be accessed normally by your device).
• If you think you are infected, log out from any account you use on the Jailbroken device and secure the account on your PC by changing the passwords and enabling 2-factor authentication.
• Uninstall any new tweaks you’ve installed recently (or all of them if you can). Remove the suspicious/pirate repos as well.
• Try to locate using top (guide on that below) any suspicious process running and locate its path. WARNING: After you use TOP, you must close it properly by pressing Q on the keyboard while it runs either way it remains active and you will create big CPU loads! Just keep in mind to close it.
• Contact your internet service provider and obtain details about what your device is doing (if the ISP has sent you an email/letter).
• Uninstall any IPA coming from untrusted sources.
• Remove web data from Safari and avoid suspicious websites.

How to use top to discover iOS Malware:

1. Install mTerminal, adv-cmds, and top from Cydia
2. Launch mTerminal and type su. Then enter your password (default is alpine)
3. Type top (or ps aux) and hit the return button to execute the command. You should now see a list of all running processes on the device. “Top” gives you a live list of processes, while “ps aux” gives you a snapshot of processes and daemons but without any updated live information or memory usage.
4. Thoroughly inspect the processes running on the device and look for any suspicious processes. You may need to do some Googling here.
5. If you find a process that is malware, use the following command: KILL -<PID> and then press enter to kill it. This won’t completely remove it, but you need to first kill it as a process and then begin researching on how to go about removing and cleaning your jailbroken device from that specific malware process.

–

So there you have it! That should just about cover all the bases when it comes to malware on iOS. If you have any questions, let us know in the comments section!