Updated: YiSpecter malware targets non-jailbroken iOS devices


Iphone malware around for ten months and over 100 apps compromised

The latest malware to affect iPhones and iPads appears to target non-jailbroken iOS devices, according to security researchers.

The YiSpecter malware was discovered by cyber-security company Palo Alto Networks. The firm said it was the first malware it had found that “abuses private APIs in the iOS system to implement malicious functionalities”.

At present the malware is affecting iOS users in mainland China and Taiwan and spreads via methods such as the hijacking of traffic from nationwide ISPs, an SNS worm on Windows, and an offline app installation and community promotion.

The malware appears to have been active for 10 months initially made available via a porn app. Once it infects an iPhone, it will download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps' execution to display advertisements, change Safari's default search engine, bookmarks and opened pages, and upload device information to an attacker's server.

The malware consists of four components that download and install each other. Security researcher Claude Xiao said in a blog that this represents a new level of threat as it abuses private APIs to do so. It also uses enterprise certificates to appear legitimate, as well as infecting jailbroken and non-jailbroken iPhones alike.

“YiSpecter is the first real world iOS malware that combines these two attack techniques and causes harm to a wider range of users. It pushes the line barrier of iOS security back another step,” he said. “Even if you manually delete the malware, it will automatically re-appear.”

Three components hide icons from iOS Springboard (the app that runs the iOS home screens). It even disguises itself with names and logos of other apps to avoid detection.

Research carried out by the firm found that over 100 apps in the App Store have abused private APIs and bypassed Apple's strict code review.

“What that means is the attacking technique of abusing private APIs can also be used separately and can affect all normal iOS users who only download apps from the App Store,” warned Xiao.

The firm has released IPS and DNS signatures to block YiSpecter's malicious traffic. The blog also details how the malware can be removed from a device.

Mark James, security specialist at IT Security Firm ESET, told SCMagazineUK.com that the delivery method is often used for delivering business apps not available on the app store that your business may need or use.

“The big safety bubble around iOS and iPhones may be starting to break down but you can still take measures to protect yourselves by only downloading apps from the official store and checking with your IT team if you need to download any apps from any other sources,” he said.

James said the malware was worse that WireLurker as it combines more techniques for infecting your iPhone, thus enabling a much wider range of targets. “The use of private APIs enables the malware to gain control of already installed apps and users who previously thought they were safe,” he added.

Gavin Reid, VP of threat intelligence at Lancope, told SCMagazineUK.com that a malicious mobile advertising company looks to be behind the attack. “The main functionality would be to gather user information and send targeted and unasked for ads,” he said.

Reid urged organisations to check network traffic to the known command and controls to verify if any users are impacted.  “Never ever download IOS applications from sources other than the app store,” he added.

Thomas Reed, Director of Mac Offerings at Malwarebytes, told SCMagazineUK.com that although the specific behaviours of this malware are fairly unique, it still is no more able to install itself invisibly than any other iOS malware to-date. “It's signed with an enterprise provisioning profile, so the user must accept its installation,” he said.

He added that two aspects of this are concerning. “One is the difficulty of removing the malware - I'd recommend a full factory reset of the phone to be 100 per cent sure everything is wiped.”

“Second is the wide variety of ways this malware has been spread, including incentives to get repair techs and the like to install it on phones they "fix," and the hacking of ISP-injected advertising,” he added.

He said that these techniques are not likely to spread to places like north America or western Europe, where tight controls are in place to prevent this type of activity. “Still, that's of no help to people in China who are affected by this,” warned Reed.

“Unfortunately, this attack is complicated by the fact that there's no anti-malware software for iOS, and no way for any software to scan iOS due to sandboxing restrictions.”

Winston Bond, European technical manager at Arxan, told SCMagazineUK.com that the fact that YiSpecter is targeting non-jailbroken iOS devices might shake up convictions that Apple, or indeed any other vendor, can be relied on to look after you. “The longstanding assumption has tended to be that users who stick to terms of service and don't jailbreak their devices can count on being protected,” he said.

“Developers need to ensure their apps can look after themselves and protect user data from hackers who are becoming increasingly inventive in finding flaws. Along with the recent XcodeGhost attack, YiSpecter proves that there is no such thing as guaranteed third-party protection. Advanced security measures such as application code hardening and white box cryptography should be used as standard during development to protect applications from malicious attacks.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews