KeyRaider iOS malware
How to detect and eliminate KeyRaider malware on jailbroken iOS device idevice.ro

iOS security researchers have recently uncovered a new malware called "KeyRaider", which is known to have hijacked confidential data from more than 250,000 Apple accounts till date. The malware allegedly intercepts iTunes traffic to steal data from random user accounts, whose devices have been compromised through installation of malware-ridden jailbreak apps from untrusted sources.

With its origin attributed to a Chinese source, the KeyRaider malware has reportedly spread across 18 countries through malicious content packed into certain pirated jailbreak apps that are uploaded via unreliable sources on the app store.

If you are worried that your device could be at risk, then you could follow a simple and easy method to uncover and eliminate the malware threat, with due credit to Redditor Flu17. Here are the steps you need to follow:

Step 1: Search Cydia for Filza File Manager and install it

Step 2: Launch the app and navigate to /Library/MobileSubstrate/DynamicLibraries/

Step 3: Select the first file ending in .dylib

Step 4: After opening this file, you will see lots of hex code. Use the search bar at the top to look for the following keywords:

  • wushidou
  • gotoip4
  • bamu
  • getHanzi

Step 5: If you find any of these keywords, then your device is infected. To remove the threat, you must delete the file along with its corresponding .plist file with the same name.

Note: You must repeat these steps for each and every .dylib file in the directory. Once you have removed all the infected files, reboot your iOS device. Do not respring the device, but just turn it off fully and then power it on.

Alternatively, you can also perform a fresh restore with a new copy of iOS from a bootable device such as USB drive or DVD via iTunes. This will not only remove the infected system files, but also wipe out all your jailbreak apps and tweaks along with user data.

In such a scenario, just repeat the jailbreaking process after the iOS restore completes.

[Source: Reddit]