appstore-ugly

Despite all the mishappenings that occurred in the past, iOS is still considered one of the safest mobile operating systems on the planet. However every now and then new malwares appear on the scene that particularly target the more vulnerable jailbroken iPhones, iPads and iPod touches. Now a new malware dubbed as AppBuyer has been uncovered that essentially downloads malicious files on a jailbroken iOS system and then steals the Apple ID username and password of the user.

Interestingly it then uses the stolen details to download paid applications from the App Store. The malware is known to connect to a remote server from where it downloads the files that steal user’s data and then sends it back to attacker’s server. Then it uses those details to make purchases from the App Store without the user even knowing.

The term AppBuyer has been coined by Palo Alto Networks, who have published a detailed analysis of how the malware affects jailbroken Apple devices. It was first found by WeiPhone Technical Group back in May, 2014.

How to protect yourself from getting affected from AppBuyer malware

A new Cydia tweak by developer Andy Wiik called AppBuyerProtect makes it possible for iOS users to prevent their device from getting the fatal AppBuyer malware. It creates a dummy /bin/updatesrv file on your device so the actual malware is not able to produce it when it tries to invade your iPhone or iPad. To download AppBuyerProtect simply add http://cydia.myrepospace.com/andrewwiik/ on your device and download the tweak for free.

Here’s how to check if your device affected by AppBuyer malware

If you have any of the following files on your jailbroken iOS device then you are affected by the AppBuyer malware.

  • /System/Library/LaunchDaemons/com.archive.plist
  • /bin/updatesrv
  • /tmp/updatesrv.log
  • /etc/uuid
  • /Library/MobileSubstrate/DynamicLibraries/aid.dylib
  • /usr/bin/gzip (Some early tweaks may also create this file. You may need to run “strings /usr/bin/gzip | grep ’223\.6\.250\.229′” to confirm whether it’s malicious or not. If the command output “223.6.250.229″, it is

Another way of checking this is by installing the AppBuyerProtect from Cydia. If the installation of the tweak fails then you are affected.


Tags: , , , , ,

  • A worried dude

    Ok help I can’t download the URL and the tweak where there so I tried to download it server name doesn’t work I’m scared maybe no more tweaks and my kik got broken and sometimes I randomly get out of apps so it has happend for long now so what am I supposed to do OMG

    • iani

      Quit downloading from untrusted repos, there’s a start.