Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

AppBuyer iOS Malware Targets Jailbroken iPhones

Researchers at Palo Alto Networks analyzed a piece of malware targeting owners of jailbroken iPhones that steals the vicitm’s Apple ID and password information and makes purchases from the App Store.

Researchers at Palo Alto Networks analyzed a piece of malware targeting owners of jailbroken iPhones that steals the vicitm’s Apple ID and password information and makes purchases from the App Store.

The malware has been appropriately dubbed ‘AppBuyer’. According to Palo Alto Networks, the malware was mentioned first by members of the WeiPhone Technical Group in May, when they remotely assisted a user in finding out why certain apps periodically had been installed onto his device. They ultimately located two strange files that would download, execute and delete other executable files.

“We still don’t know how the AppBuyer malware was installed onto jailbroken iOS devices,” blogged researcher Claud Xiao. “There’re some possibilities that include through malicious Cydia Substrate tweak (like Trojan.iOS.AdThief) hosted in third-party Cydia sources, through other PC malware, through a PC jailbreaking utility, or possibly some other unknown ways.”

What the researchers do know is that after the devices were infected, two files appear in the file system – /System/Library/LaunchDaemons/com.archive.plist and bin/updatesrv. The com.archive.plist is a launchd daemon configuration file that specified that every 7,200 seconds (or 2 hours) the /bin/updatesrv will be loaded and run.

Advertisement. Scroll to continue reading.

At first, updatesrv will connect to http :// to fetch configuration of local UUID file path: /etc/uuid. Then it reads the UUID from this file and constructs the second URL: http: //<UUID>, Xiao explained.

“The updatesrv will then determine whether the server returns “IDLE”,” he blogged. “If so, it will exit immediately; otherwise, it will download two files from the server, rename them as /tmp/u1 and /tmp/u2, then execute the first one, and lastly delete all of the files. During the course of our analysis, we found that after updatesrv executes three times, the server will always return IDLE.”

During the first execution, the updatesrv will determine if /etc/uuid exists; if it doesn’t, the second URL will have no UUID value. At that point, updatesrv will download two files named u1 and u2 using the following URLs:

  • http: //
  • http: //

“The code in u1’s  is quite simple, it generates a new UUID by combining the current time, a random number between 0 to 9999 and current process ID, and stores it into /etc/uuid,” the researcher wrote. “The u2 file simply contains the character “1”, but this is not used by the code.”

After the UUID generated, the second execution of updatesrv accesses the URL with the UUID value:

The server returns u1_80 and u2_80 as results, then downloads files from:

The code in u1_80 simply copies u2_80 into /Library/MobileSubstrate/DynamicLibraries/aid.dylib. The u2_80 will be loaded by the Cydia Substrate framework later on. The u2_80 is a Cydia Substrate tweak. After it is loaded it will hook the (void)connectionDidFinishLoading:(id)arg1; method of the ISURLOperation class. It uses this hook to capture every HTTP or HTTPS request made by the victim’s device and inspect the traffic for the user’s apple ID, GUID (Globally Unique Identifier) or password.

In the third execution cycle, the malware uses the victim’s information to buy apps from the official App Store.

“We highly recommend iOS users not jailbreak their devices,” blogged Xioa. “AdThief, another iOS malware found by Palo Alto Networks in this year, which also targets jailbroken iOS devices, has infected more than 75,000 devices. Another example is Unflod, which is a malicious Cydia Substrate tweak, will steal a victim’s Apple ID in the similar way.”

The full technical write-up can be found here.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...