Updated The first iOS malware capable of attacking both non-jailbroken and jailbroken devices has surfaced online.
The mobile malware nasty YiSpecter hooks into private APIs in iOS 8 to perform malicious actions, and has been in the wild for at least 10 months, mostly in China and Taiwan, since November 2014 if not earlier.
YiSpecter uses a battery of unusual tricks to spread itself. Distribution tactics include hijacking of traffic from nationwide ISPs, a worm on Windows, and an offline app installation and a community promotion. Initially the malware spread by posing as a “private version” or “version 5.0” of a famous but discontinued media player QVOD that offered the ability to watch porn videos online. Spreading tactics have evolved towards greater sophistication and diversity.
YiSpecter consists of four different components that are signed with enterprise certificates, according to security researchers at Palo Alto Networks, who add that the malware uses a variety of tricks to hide its presence on compromised systems, such as the use of the same name and logos as system apps and hiding their icons from iOS’s SpringBoard, which prevents the user from finding and deleting them. Once installed the malware mounts a variety of cybercrime scams, as detailed in a blog post by Palo Alto Networks.
On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 [command and control] server.
Whether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed. Experience from victims suggests that even if you manually delete the malware, it will automatically re-appear. Manually removing YiSpecter is tricky but possible, according to Palo Alto, which has published some instructions.
iOS had remained (almost) malware-free for years. However YiSpecter is the latest of a relatively small but growing collection of malware families to target iOS devices. WireLurker previously demonstrated the ability to infected non-jailbroken iOS devices by abusing enterprise certificates. Academic researchers have discussed how private APIs can be used to implement sensitive functionalities in iOS. YiSpecter is the first real world iOS malware that combines these two attack techniques, according to Palo Alto.
Palo Alto Networks has released IPS (intrusion prevention system) and DNS signatures to block YiSpecter’s malicious traffic. Apple has also been notified about the outbreak.
Last month Palo alto warned of an OS X and iOS malware named XcodeGhost. Developers who relied on this malicious version of Apple’s Xcode developer tool produced apps with a built-in backdoor. Again the issue was largely confined to China but security researchers reckon the two problems are NOT related.
“While YiSpecter and XcodeGhost both attacked non-jailbroken iOS devices, they are not related to each other,” Palo Alto said. “We believe that YiSpecter and XcodeGhost were developed by different attackers and there is no evidence of cooperation between the two developers so far.”
If anything, YiSpecter poses a greater risk to iPhone and iPad (fondleslab) security.
“The world where only jailbroken iOS devices were threatened by malware is a thing of the past,” Palo Alto concludes. “WireLurker proved that non-jailbroken iOS devices can also be infected through abuse of the enterprise distribution mechanism. YiSpecter further shows us that this technique is being used to infect many iOS devices in the wild.”
“The key techniques deployed in YiSpecter are bypassing App Store reviews using enterprise distribution and abusing iOS private APIs to perform sensitive operations,” it adds. ®
Updated to add
Apple claims the security vulnerabilities exploited by YiSpecter were fixed in iOS 8.4 and higher – so up-to-date devices should be safe from the malware found in the wild. Slowcoaches who never got round to upgrading for one reason or another are at risk.
"This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources," Apple told pro-Cupertino blog The Loop.
"We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps.”