App stores that once distributed the rootkit malware used by ZNIU, the first malware family to exploit the Dirty COWvulnerability, are now distributing a new iXintpwn/YJSNPI variant.
Previous iXintpwn/YJSNPI variants target iOS platforms and rendered the devices unresponsive by overflowing it with icons.
Trend Micro researchers said the latest threat comes in the form of an unsigned profile that crashes the standard application that manages the iOS home screen and exploits certain features to make the malware more difficult to uninstall, according to a 2 November blog post.
The most recent version uses a signed profile to conduct different attacks compared to its predecessor and the malware itself is extracted from one the two app stores. The new variant's main purpose is not to damage a user's operating system but instead to trick the user into downloading repackaged apps, or legitimate apps that have been trojanised.
“If users access the app stores, the signed .mobileconfig file, which is an iOS configuration profile, will be downloaded to the device,” the post said. “An iOS configuration profile enables developers to streamline the settings of a huge number of devices, including email and exchange, network, and certificates.”
The .mobileconfig file contains four irremovable icons that will appear on the home screen which are actually web clips that appear as app icons. When clicked, the apps take a user directly to one of two app stores were the trojanised apps can be downloaded.
The malicious app stores can also be accessed from PC and Android devices, however if a user downloads apps from either of the stores, It may evoke a different response. Mac and Windows users won't be affected as all the apps in the malicious store will fail to install on their devices, researchers said.
Researchers advise users to only download from trusted app stores as well as to avoid repackaged apps as they may be trojanised to leak information and or exploit user devices.