It’s not clear exactly how AppBuyer is being installed, but the group says it could be done a number of ways including through a malicious Cydia Substrate tweak or PC jailbreaking utility. Those infected complain of random apps periodically popping up on their devices.
AppBuyer is a Trojan program, set to execute three actions. First, it downloads an EXE file to generate a unique UUID, second it downloads a Cydia Substrate tweak to steal the user’s ID and password, and third, it downloads a utility to login to the App Store and buy apps.
As usual, in such critical situations, we recommend our users to stay away from any suspicious repositories that often carry pirated jailbreak tweaks and unknown packages..
You can also check your device (using iFile, iExplorer or other software) to see if it contains any of the AppBuyer files:
- /System/Library/LaunchDaemons/com.archive.plist
- /bin/updatesrv
- /tmp/updatesrv.log
- /etc/uuid
- /Library/MobileSubstrate/DynamicLibraries/aid.dylib
- /usr/bin/gzip
Palo Alto Networks says that since it hasn’t figured out how AppBuyer is loaded onto devices, deleting these files may not solve the problem completely. It does say, however, that it is working on ways to block the app, including the use of custom URL, DNS and IPS signatures.
