Jailbreak tweaks are known to improve the performance and features of jailbroken iOS devices. Sometimes, some tweaks help in improving the security of the device too. But how will you react if tweak reduces your battery life and installs a trojan on the device, thus hampering its security ? If you thought such a thing has not happened in the jailbreaking community and that you need not be careful while choosing Cydia tweaks, you need to think again.
Image : Trojan Alert on Cydia
A jailbreak tweak on Cydia has just made news recently for containing a Trojan. The tweak named Lock Saver Free was available on the ModMyi repo and was supposed to work by turning off the power-hogging features when the iOS device was locked. However, what came as a surprise was that the tweak contained a trojan which would remain behind on your device even if you removed the tweak.
The trojan steals revenues that are generated in the devices that have the tweak installed. The trojan does this by hooking itself onto the AdMob banners by Google. When a user installs the tweak, the trojan files are copied to /Library/MobileSubstrate/DynamicLibraries/. The tweak has also been found collecting UDID‘s and then sending them to a remote server.
Image : Codes running on Cydia
For those who were lucky enough to not come across this tweak, the package has fortunately been taken down from the ModMyi repo. However, in case you have already downloaded and installed the package on your device, it is highly recommended that you uninstall it immediately from Cydia. As already stated before, uninstalling the tweak does not remove the malware. The two malicious files left behind by the tweak are named Service.plist and Service.dylib. So use iFile and go to /Library/MobileSubstrate/DynamicLibraries/ to delete these files permanently, so that the trojan is removed from your device permanently.
Developer Alan Kerr has mentioned on twitter that this malicious tweak installs the Service.dylib file at runtime and thus makes the directory /Library/MobileSubstrate/DynamicLibraries/ writable.
This happens due to the Service.dylib file, which changes to permission to 777 so that all the groups and users can access the directory as writable. So remember to change the directory’s permission back to 755 with iFile. This will prevent any unauthorized installation of files in that directory.
The biggest question in this incident lies with the repository where this tweak was hosted. It is really a surprise that the trojan-full tweak slipped easily through the review process of ModMyi repo and became openly available for Cydia users. So if you have installed Lock Saver Free, uninstall the package from Cydia now and delete the above mentioned two malicious files too from the mentioned directory. As a matter of caution, it is recommended that you stay away from all the future packages released by dmarinov/Dimitar Marinov, the developer of Lock Saver Free.