Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
After reading the AppBuyer article...
#!/usr/bin/env bash
set -e
YOUR_IPHONE=${1-root@172.20.10.1}
MALWARES='Unflod AdThief AppBuyer'
# folks say http://insanelyi.com/topic/17406-newly-discovered-ios-malware/
Unflod() { # aka SSLCreds
cat << PWND
/Library/MobileSubstrate/DynamicLibraries/Unflod.dylib
/Library/MobileSubstrate/DynamicLibraries/framework.dylib
PWND
}
# http://www.techgravy.net/remove-adthief-malware-jailbroken-devices/
AdThief() {
cat << PWND
/Library/MobileSubstrate/DynamicLibraries/spad.dylib
/Library/MobileSubstrate/DynamicLibraries/spad.plist
/Library/MobileSubstrate/DynamicLibraries/libgad.dylib
/usr/lib/libgad.dylib
/usr/bin/sad/
/var/sad/
PWND
}
# http://researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/comment-page-1/#comment-167562
AppBuyer() {
cat << PWND
/System/Library/LaunchDaemons/com.archive.plist
/bin/updatesrv
/tmp/updatesrv.log
/etc/uuid
/Library/MobileSubstrate/DynamicLibraries/aid.dylib
/usr/bin/gzip
PWND
}
remote_script() {
for MALWARE in $MALWARES; do
echo "find $($MALWARE | tr '\n' ' ') 2>/dev/null | sed 's/^/$MALWARE /g' || true"
done
}
output_filter() {
if grep '^..*$' --color=none; then
echo 'iOS malware detected!' >&2
false
fi
}
remote_script | ssh -T $YOUR_IPHONE | output_filter
@steakknife

This comment has been minimized.

Copy link
Owner Author

@steakknife steakknife commented Sep 14, 2014

Probably could do it all in one SSH session.

Update: implemented.

@steakknife

This comment has been minimized.

Copy link
Owner Author

@steakknife steakknife commented Sep 14, 2014

If you trust piping this script into bash:

curl -L https://gist.github.com/steakknife/46662191ffddc2db1157/raw/ios-jailbroken-malware-scan.sh | bash

@steakknife

This comment has been minimized.

Copy link
Owner Author

@steakknife steakknife commented Sep 14, 2014

Note: Be sure to enable SSH before / disable SSH after using this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.