Symantec Spots Worm Targeting Jailbroken Apple iPhones

Updated: Symantec uncovers a new worm targeting jailbroken iPhones. Unlike the Ikee worm that appeared earlier in November, this worm can be used to steal data.

Researchers at Symantec have uncovered another worm aimed at jailbroken iPhones.

Like the well-publicized Ikee worm, the recently discovered malware targets jailbroken iPhones running SSH (Secure Shell) and using the default password of "alpine." However, unlike Ikee, which merely changed victims' iPhone backgrounds to a picture of 1980s pop singer Rick Astley, this worm can reportedly steal data and allow an attacker to take control of the smartphone.

"Unlike the first iPhone worm, this one appears to cover a much broader range of IP addresses, including UPC in the Netherlands, Optus in Australia, possibly a Hungarian and a Portuguese provider, T-Mobile and potentially many others," blogged Symantec researcher John McDonald. "And although this particular incarnation seems to be very similar in functionality to the hack tool we blogged about, this one supposedly runs and spreads directly from an infected iPhone, not from a computer."

Jailbreaking iPhones has been discouraged by Apple, but has evolved into a well-known practice over the years for people wanting to install third-party applications not approved by Apple. Security researchers have long warned that those doing so and running SSH should take care to change the default password to avoid the possibility of a compromise.

A number of high-profile security incidents in November have helped bring that point home. The first came courtesy of a Dutch teenager who tried to make use of the default password issue to take control of users' phones and hold them for ransom. Shortly after that came the Ikee worm, which was then followed by the release of an attack tool that could be used to steal data off of the iPhone.

According to Mac security company Intego, the new worm starts by searching its local network, as well as a number of IP address ranges, for vulnerable devices. Once it is active on an iPhone, the worm changes the root password for the device in order to prevent users from later changing the password themselves. It then connects to a server in Lithuania from which it downloads new files and data. It also sends data swiped from the iPhone to the server.

"The worm sends both network information about the iPhone and SMSes [Short Message Service] to the remote server ... [and] also gives each infected iPhone a unique identifier ... to be able to reconnect easily to any iPhones on which valuable information is found, but also to ensure that only infected iPhones can connect to the server," Intego stated in an advisory Nov. 23. "Finally, it changes an entry in the iPhones/etc/hosts file for a Dutch bank Website, to lead Dutch users who connect to this bank site to a bogus site, [presumably] to harvest user names and passwords."

Symantec detects the worm as iPhoneOS.Ikee.B; Intego as iPhone/iBotnet.A on iPhones it can scan from Macs with its Intego VirusBarrier X5 software installed. Users can also remove the malware by wiping the device and restoring it via iTunes.

"After all the fuss caused by the previous incidents it's hard to believe anyone would have left their jailbroken iPhone in a vulnerable state, but if you think your iPhone (or iPod Touch) may have been compromised, or if you have jailbroken your device and are worried about it, we recommend that you back up your data, then restore your device to its factory settings and where applicable apply the latest firmware update from Apple," McDonald wrote. "We also highly recommend you never leave a password blank, or as the factory default."

Editor's Note: This story was updated to include information from Intego.