How to stop the UnFlod Baby Panda malware infecting your iPhone

Baby PandaHere is today’s question:

    How can I stop the UnFlod Baby Panda malware infecting my iPhone? I’ve heard that the malicious app can steal the Apple ID from my iPhone, so I would like to protect it.

I love questions like this, because there’s a really easy answer:

    Don’t jailbreak your iPhone in the first place.

German security researchers at SektionEins have published what it calls a “quick and dirty analysis” of the new iOS malware, which can steal infected devices’ Apple ID and corresponding password, sending them in plaintext to the remote hackers.

The threat is thought to have existed since mid-February, but only came to general attention after a Reddit thread sprung up in the last few days.

Sign up to our free newsletter.
Security news, advice, and tips.

It’s important to note that UnFlod Baby Panda can only infect jailbroken iPhones, and has not been seen distributed in the official iOS App Store. You can only install apps from unofficial app stores like Cydia if you jailbreak your iPhone or iPad.

That’s one of the reasons why the Android platform is plagued with new malware variants every day, whereas threats for iOS are so rare.

Call them control-freaks but there’s no denying that Apple’s walled garden and the steps it has taken to make jailbreaking tricky have helped keep malware away from many millions of iPhone and iPad users.

I don’t have a problem with people who do want to jailbreak their iPhones and iPads. After all, they’ve spent a lot of money buying an expensive gadget – they should be able to do what they want with it.

But there’s no doubt that you are exposing yourself to greater risks if you go down the jailbreaking route.

Stefan Esser, the security researcher who wrote the blog post for SektionEins, wrote on Twitter that he expected to see more malware targeting jailbroken iPhones and iPads in future.

Instructions have been posted online for anyone who wants to remove the malware from their jailbroken iPhone by hand.

Which just leaves one more burning question. Why is the malware called “Unflod Baby Panda”?

The Unflod bit is simple – the malware incorporates a malicious file called Unflod.dylib (presumably a deliberate typo from “Unfold”).

And the “Baby Panda”? Well, that appears to have emerged from a Twitter conversation between Esser and fellow researcher Dino Dai Zovi about how to get some PR attention for the threat.

Clearly, security researchers have noticed the attention that Heartbleed received with a sexy name and a media-friendly graphic.

Of course, Apple doesn’t allow proper anti-virus software into the iOS App Store – which means that owners of non-jailbroken iPhones and iPads are stuffed when it comes to anti-virus protection. However, the good news is that Apple’s control-freakery has also made malware on such devices as rare as hen’s teeth.

So, if you want to scan your iPhone or iPad, you’ll need to install software that lets you access the files on iDevice remotely so you can scan them with an anti-virus on your desktop or laptop computer.

By the way, if you want to see a list of what some anti-virus products can detect the malware as (should it pass through a desktop/laptop computer at least), check out VirusTotal.

None of them are calling the malware “Unflod Baby Panda” (Sorry Stefan).


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.