YiSpecter Malware Targets All iOS Devices: More than 100 Apps are Compromised
A new ad-based malware dubbed “YiSpecter” is now infecting iPhones and iPads that are both jailbroken and non-jailbroken by abusing private APIs within the iOS system, discovers a security firm.
Security firm Palo Alto Networks has uncovered a new malware that appears to originate from an advertising company in China by infecting iOS devices by downloading unwanted applications without the owner’s consent.
The researchers wrote:
Whether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed.
The full record of the discovery can be found in a blog post at Palo Alto Networks.
Somewhat strikingly, the malware has reportedly been in the wild for over ten months, and only 1 out of 57 security-scanning vendors at VirusTotal is detecting the malware.
YiSpecter. A new iOS Malware.
- Download, install and then run arbitrary applications
- Hijack other applications’ ability to display ads
- Change Safari’s (iOS’ default browser) search engine
- Upload critical device information to a command and control (C2) server
The malware spreads by “unusual means” according to the security firm, such as:
- The hijacking of traffic from nationwide ISPs (in China and Taiwan)
- An SNS worm on Windows
- Offline app installation
- Community promotions
The YiSpecter malware is made up of four different components that are all signed by enterprise certificates. By abusing these enterprise certificates and private APIs, the components download onto the iOS device and install each other from a C2 server.
Palo Alto’s Claud Xiao states:
Even if you manually delete the malware, it will automatically re-appear.
YiSpecter is the first known iOS malware with the ability to infect both jailbroken and non-jailbroken devices by means of abusing private APIs and it “pushes the line barrier of iOS security back another step,” says Xiao.
The researcher points to recent investigations that show that the App Store contains over a 100 applications that have their APIs abused. This essentially leaves all normal iOS users who exclusively download apps from the App Store vulnerable to the attack technique of abusing private APIs.
The security firm has notified Apple of the new malware.
Image from Shutterstock.