Malware + Security News

iOS Trojan “TinyV” Is Infecting Jailbroken iPhones

Posted on by

Watermelon Video player

I’ve said it before, and I’ll surely say it again.

If you care one ounce about security, then you won’t jailbreak your iPhone.

Because jailbreaking your iDevice opens it up to more threats, as you download apps distributed unofficially from third-party websites rather than the authorised App Store.

Security researchers have issued a warning that Chinese iPhone users are unwittingly infecting their smartphones with a new iOS Trojan horse known as TinyV.

And it appears that the malware’s spread is being assisted because it has been hidden inside pirated versions of apps — often with the pretence that they are “ad-free.”

Amongst the apps to be wary of are versions of the Youku (优酷), iQiYi (爱奇艺) and Watermelon (西瓜播放器) video players — an infected version of the latter of which has reportedly been distributed via its official website:

Malware infected Watermelon Player

Meanwhile other sites offer a variety of “ad-free” video players, with no warning that the apps have been compromised.

untrusted app stores

Using a complicated combination of APIs, PLIST tricks and code hooks, the malware downloads further code from the Internet — installing unwanted applications onto your iPhone or iPad. Currently, victims are having the XZ Helper (协奏助手) jailbreak tweak surreptitiously installed onto their iDevice by the malware.

So, there’s good news and bad news.

The bad news is that Apple customers who have jailbroken their iPhones and iPads are apparently putting their data at risk by jailbreaking their devices, and installing software from untrusted sources.

The good news, however, is that eight years after the launch of the original iPhone — malicious hackers still have to go to quite extreme lengths to infect iOS devices.

Criminals find it too difficult to sneak malicious iOS apps into Apple’s highly-secured “walled garden,” and so have to resort to different methods to get their malware onto your iPhone or iPad.

But the threat on regular devices is nothing like the malware that can be encountered on jailbroken devices, where this year alone we have seen hundreds of thousands of iPhones hit by the likes of iOS/KeyRaider.

That’s not to say that non-jailbroken iOS is entirely safe. For instance, we have seen serious bugs in AirDrop that could drop malware onto unsuspecting iPhone users’ devices, zero-day flaws that could be used to to silently steal passwords and plant malware, and even 1,500 Apple-approved apps tainted by a data-exposing vulnerability.

And I have lost count of the number of times that a “trusted” app, distributed via the App Store, has been found to have a serious privacy flaw at its heart, or failing to encrypt sensitive information as it is sent up to a web server.

Ultimately, however, you decide what apps you install on your iPhone and iPad and where you get them from. In my opinion, if you have any sense, you will resist the temptation to jailbreak your iPhone — and your security will be all the better for it.

So far the only reports of infections from the TinyV Trojan horse have come from mainland China, where it appears users are more inclined to jailbreak their devices.

Keep a sharp eye out for further updates should new information become available. To learn more about the malware, check out the blog post from Palo Alto Networks.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →