Home / malware IOS.Passrobber
First posted on 25 April 2014.
Source: SymantecAliases :
There are no other names known for IOS.Passrobber.
Explanation :
The Trojan runs on jailbroken iOS devices that have installed Mobile Substrate or Cydia Substrate.
When the Trojan is executed, it creates the following file:
/Library/MobileSubstrate/DynamicLibraries/Unflod.dylib
Next, the Trojan hooks the following API and replaces it with its own function:
_SSLWrite
The Trojan then uses the replaced function to check HTTPS connections for the following header:
/WebObjects/MZFinance.woa/wa/authenticate HTTP/1.1
If the Trojan finds an Apple ID and password in this header, it sends the header to the following remote locations:23.88.10.4:5071823.228.204.55:50718Last update 25 April 2014
