Is Your Device Compromised by KeyRaider Malware? How to Fix Your Jailbroken Phone

One of the downsides to jailbreaking your devices is the potential for extra security vulnerability. In September, it was revealed that nearly 225,000 jailbreak users were victims of a security breach. The KeyRaider Malware stole iCloud account details such as email addresses and passwords.

The KeyRaider malware can impact your device in the following ways:

  • Stealing usernames and passwords from jailbroken Apple devices
  • Stealing your device’s unique identifier (known as GUID)
  • Stealing App Store purchase information
  • Locking the device and holding it for ransom

Researchers at Palo Alto Networks revealed the malware was delivered through a third-party repository for Cydia – the App Store for jailbroken iPhones. Palo Alto Networks said it was the largest theft of Apple user information executed with malware.

Now that we know the KeyRaider malware is really bad, let’s discuss how to stop it.

Removing KeyRaider


To find out whether KeyRaider has infected your iOS device, perform the following tasks:

  1. Search Cydia for Filza File Manager and install. Although some people have installed Open SSH on the iPhone rather than Filza, Filza is faster and safer. Open SSH is a common way hackers access your phone.
  2. Open the app and navigate to /Library/MobileSubstrate/DynamicLibraries/
  3. Select the first file ending in .dylib.
  4. Once inside the .dylib file, there will be lots of hex code. Use the search bar at the top to look for the following keywords:
  • wushidou
  • gotoip4
  • bamu
  • getHanzi

If you discover any of those keywords, you have a device infected by KeyRaider. To clean your device, the file needs to be deleted, along with its corresponding .plist (which has the same name). That is the tweak which has actually infiltrated your device.

Reddit user Flu17 says “You must perform these steps for each and every .dylib file in the [/DynamicLibraries/] directory. Once you have cleared out the necessary files, reboot your device. Do not respring. Turn it off fully, then turn it on again.”

After you remove all the files and then restart the device, the KeyRaider malware will be gone. Then you need to monitor your accounts for any unusual purchases. Since your device was compromised, the malware already exposed your data. Be sure to change your password.

The solution is produced in part by WeipTech, a Weiphone Tech Team. WeipTech is a startup consisting of users from Weiphone, which is one of the largest Apple fans websites in China. RedditFlu17’s thread and the corresponding comments are a good resource for anyone with an infected device.

Preventing an Attack

Most people who were affected by KeyRaider live in China, but users around the world have reported finding the malware. In order to be safe from similar attacks, you can take steps to lower your risk.

First, enable 2 Factor Authentication for your iCloud Account. This will prevent someone from accessing your iCloud account even if they already know your userid and password. Second, be very careful about adding third-party repositories to Cydia. Third, avoid installing jailbreak tweaks from sources that do not appear to be known and trustworthy. Fourth, avoid pirating tweaks and apps.

You May Also Like

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>