iOS malware YiSpecter: iPhones menaced by software nasty

This is what happens if you don't keep your phone up to date, says Apple


Updated The first iOS malware capable of attacking both non-jailbroken and jailbroken devices has surfaced online.

The mobile malware nasty YiSpecter hooks into private APIs in iOS 8 to perform malicious actions, and has been in the wild for at least 10 months, mostly in China and Taiwan, since November 2014 if not earlier.

YiSpecter uses a battery of unusual tricks to spread itself. Distribution tactics include hijacking of traffic from nationwide ISPs, a worm on Windows, and an offline app installation and a community promotion. Initially the malware spread by posing as a “private version” or “version 5.0” of a famous but discontinued media player QVOD that offered the ability to watch porn videos online. Spreading tactics have evolved towards greater sophistication and diversity.

YiSpecter consists of four different components that are signed with enterprise certificates, according to security researchers at Palo Alto Networks, who add that the malware uses a variety of tricks to hide its presence on compromised systems, such as the use of the same name and logos as system apps and hiding their icons from iOS’s SpringBoard, which prevents the user from finding and deleting them. Once installed the malware mounts a variety of cybercrime scams, as detailed in a blog post by Palo Alto Networks.

On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 [command and control] server.

Whether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed. Experience from victims suggests that even if you manually delete the malware, it will automatically re-appear. Manually removing YiSpecter is tricky but possible, according to Palo Alto, which has published some instructions.

iOS had remained (almost) malware-free for years. However YiSpecter is the latest of a relatively small but growing collection of malware families to target iOS devices. WireLurker previously demonstrated the ability to infected non-jailbroken iOS devices by abusing enterprise certificates. Academic researchers have discussed how private APIs can be used to implement sensitive functionalities in iOS. YiSpecter is the first real world iOS malware that combines these two attack techniques, according to Palo Alto.

Palo Alto Networks has released IPS (intrusion prevention system) and DNS signatures to block YiSpecter’s malicious traffic. Apple has also been notified about the outbreak.

Last month Palo alto warned of an OS X and iOS malware named XcodeGhost. Developers who relied on this malicious version of Apple’s Xcode developer tool produced apps with a built-in backdoor. Again the issue was largely confined to China but security researchers reckon the two problems are NOT related.

“While YiSpecter and XcodeGhost both attacked non-jailbroken iOS devices, they are not related to each other,” Palo Alto said. “We believe that YiSpecter and XcodeGhost were developed by different attackers and there is no evidence of cooperation between the two developers so far.”

If anything, YiSpecter poses a greater risk to iPhone and iPad (fondleslab) security.

“The world where only jailbroken iOS devices were threatened by malware is a thing of the past,” Palo Alto concludes. “WireLurker proved that non-jailbroken iOS devices can also be infected through abuse of the enterprise distribution mechanism. YiSpecter further shows us that this technique is being used to infect many iOS devices in the wild.”

“The key techniques deployed in YiSpecter are bypassing App Store reviews using enterprise distribution and abusing iOS private APIs to perform sensitive operations,” it adds. ®

Updated to add

Apple claims the security vulnerabilities exploited by YiSpecter were fixed in iOS 8.4 and higher – so up-to-date devices should be safe from the malware found in the wild. Slowcoaches who never got round to upgrading for one reason or another are at risk.

"This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources," Apple told pro-Cupertino blog The Loop.

"We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps.”


Other stories you might like

  • Saved by the Bill: What if... Microsoft had killed Windows 95?

    Now this looks like a job for me, 'cos we need a little, controversy... 'Cos it feels so NT, without me

    Veteran Microsoft vice president, Brad Silverberg, has paid tribute to former Microsoft boss Bill Gates for saving Windows 95 from the clutches of the Redmond Axe-swinger.

    Silverberg posted his comment in a Twitter exchange started by Fast co-founder Allison Barr Allen regarding somebody who'd changed your life. Silverberg responded "Bill Gates" and, in response to a question from senior cybersecurity professional and director at Microsoft, Ashanka Iddya, explained Gates' role in Windows 95's survival.

    Continue reading
  • UK government opens consultation on medic-style register for Brit infosec pros

    Are you competent? Ethical? Welcome to UKCSC's new list

    Frustrated at lack of activity from the "standard setting" UK Cyber Security Council, the government wants to pass new laws making it into the statutory regulator of the UK infosec trade.

    Government plans, quietly announced in a consultation document issued last week, include a formal register of infosec practitioners – meaning security specialists could be struck off or barred from working if they don't meet "competence and ethical requirements."

    The proposed setup sounds very similar to the General Medical Council and its register of doctors allowed to practice medicine in the UK.

    Continue reading
  • Microsoft's do-it-all IDE Visual Studio 2022 came out late last year. How good is it really?

    Top request from devs? A Linux version

    Review Visual Studio goes back a long way. Microsoft always had its own programming languages and tools, beginning with Microsoft Basic in 1975 and Microsoft C 1.0 in 1983.

    The Visual Studio idea came from two main sources. In the early days, Windows applications were coded and compiled using MS-DOS, and there was a MS-DOS IDE called Programmer's Workbench (PWB, first released 1989). The company also came up Visual Basic (VB, first released 1991), which unlike Microsoft C++ had a Windows IDE. Perhaps inspired by VB, Microsoft delivered Visual C++ 1.0 in 1993, replacing the little-used PWB. Visual Studio itself was introduced in 1997, though it was more of a bundle of different Windows development tools initially. The first Visual Studio to integrate C++ and Visual Basic (in .NET guise) development into the same IDE was Visual Studio .NET in 2002, 20 years ago, and this perhaps is the true ancestor of today's IDE.

    A big change in VS 2022, released November, is that it is the first version where the IDE itself runs as a 64-bit process. The advantage is that it has access to more than 4GB memory in the devenv process, this being the shell of the IDE, though of course it is still possible to compile 32-bit applications. The main benefit is for large solutions comprising hundreds of projects. Although a substantial change, it is transparent to developers and from what we can tell, has been a beneficial change.

    Continue reading
  • James Webb Space Telescope has arrived at its new home – an orbit almost a million miles from Earth

    Funnily enough, that's where we want to be right now, too

    The James Webb Space Telescope, the largest and most complex space observatory built by NASA, has reached its final destination: L2, the second Sun-Earth Lagrange point, an orbit located about a million miles away.

    Mission control sent instructions to fire the telescope's thrusters at 1400 EST (1900 UTC) on Monday. The small boost increased its speed by about 3.6 miles per hour to send it to L2, where it will orbit the Sun in line with Earth for the foreseeable future. It takes about 180 days to complete an L2 orbit, Amber Straughn, deputy project scientist for Webb Science Communications at NASA's Goddard Space Flight Center, said during a live briefing.

    "Webb, welcome home!" blurted NASA's Administrator Bill Nelson. "Congratulations to the team for all of their hard work ensuring Webb's safe arrival at L2 today. We're one step closer to uncovering the mysteries of the universe. And I can't wait to see Webb's first new views of the universe this summer."

    Continue reading
  • LG promises to make home appliance software upgradeable to take on new tasks

    Kids: empty the dishwasher! We can’t, Dad, it’s updating its OS to handle baked on grime from winter curries

    As the right to repair movement gathers pace, Korea’s LG has decided to make sure that its whitegoods can be upgraded.

    The company today announced a scheme called “Evolving Appliances For You.”

    The plan is sketchy: LG has outlined a scenario in which a customer who moves to a locale with climate markedly different to their previous home could use LG’s ThingQ app to upgrade their clothes dryer with new software that makes the appliance better suited to prevailing conditions and to the kind of fabrics you’d wear in a hotter or colder climes. The drier could also get new hardware to handle its new location. An image distributed by LG shows off the ability to change the tune a dryer plays after it finishes a load.

    Continue reading
  • IBM confirms new mainframe to arrive ‘late’ in first half of 2022

    Hybrid cloud is Big Blue's big bet, but big iron is predicted to bring a welcome revenue boost

    IBM has confirmed that a new model of its Z Series mainframes will arrive “late in the first half” of 2022 and emphasised the new device’s debut as a source of improved revenue for the company’s infrastructure business.

    CFO James Kavanaugh put the release on the roadmap during Big Blue’s Q4 2021 earnings call on Monday. The CFO suggested the new release will make a positive impact on IBM’s revenue, which came in at $16.7 billion for the quarter and $57.35bn for the year. The Q4 number was up 6.5 per cent year on year, the annual number was a $2.2bn jump.

    Kavanaugh mentioned the mainframe because revenue from the big iron was down four points in the quarter, a dip that Big Blue attributed to the fact that its last mainframe – the Z15 – emerged in 2019 and the sales cycle has naturally ebbed after eleven quarters of sales. But what a sales cycle it was: IBM says the Z15 has done better than its predecessor and seen shipments that can power more MIPS (Millions of Instructions Per Second) than in any previous program in the company’s history*.

    Continue reading

Biting the hand that feeds IT © 1998–2022