How To: Find And Remove KeyRaider Malware From Your iPhone, Here’s The Step-By-Step Guide

Are you aware of the KeyRaider malware that is infecting jailbroken devices and is evidently spread by those downloading tweaks from less than reputable Cydia sources. No sympathy for anyone caught out because there were stealing jailbreak tweaks, it isn’t fun for anyone to have their iOS device held to ransom by a hacker. And that’s what is happening to some of the users affected by KeyRaider.

iOS security reasearchers have recently uncovered a new spyware called “KeyRaider,” also set about stealing the Apple IDs of those affected. You can check whether they were affected after palo Alto Networks and WeipTech created a web tool that allowed users to enter their ID email address in order to see if it was compromised. Nevertheless, it could be even better if you could check your device for the root of the problem, KeyRaider itself, and then remove it?

That’s what we are providing you something relevant to learn from this new jailbreak tweak, maing it possible. DylibSearch app is currently in beta and while it can scan all of the .dylib files in an iOS device’s MobileSubstrate folder for known strings relating to KeyRaider, it can’t yet ready to delete them. Posted first on Reddit, the app is left to you, the user, to do the cleanup using this tweak like iFile to delete the affected files. Still, it’s better than nothing, that’s for sure!

About the KeyRaider malware has reportedly spread across 18 countries through malicious content packed into certain pirated jailbreak apps that are uploaded via unreliable sources on the app store.

Here are the steps you need to follow: How you install DylibSearch?

1. Add the following repository to Cydia:
2. Install DylibSearch and launch it.

Note: You’ll be shown in green checkmarks for files that are OK (fine and not affected) and re cross for those that aren’t following the automatic scan, as shown in the image proof below.

Secondary, if you got the red croses for file it means your device is infected with KeyRaider. Make note of these file names. Install a file management app like iFile or Filza File Manager and install it on your device from Cydia. Navigate to /Library/MobileSubstrate/DynamicLibraries/ folder and find the files listed by DylibSearch here and delete them.

After opening this file, you will see lots of hex code. Use the search bar at the top to look for the following keywords:

  • wushidou
  • gotoip4
  • bamu
  • getHanzi

You must repeat these steps for each and every .dylib file in the directory. Once you have removed all the infected files, reboot your iOS device. Do not respring the device, but just turn it off fully and then power it on.

The tweak’s developer has also made its source code available, should you want to poke around. And remember to keep yourself safe. It’s a jungle out there, beware.