Updated: YiSpecter malware targets non-jailbroken iOS devices

The latest malware to affect iPhones and iPads appears totarget non-jailbroken iOS devices, according to security researchers.

The YiSpecter malware was discovered by cyber-securitycompany Palo Alto Networks. The firm said it was the first malware it had foundthat “abuses private APIs in the iOS system to implement maliciousfunctionalities”.

At present the malware is affecting iOS users in mainlandChina and Taiwan and spreads via methods such as the hijacking of trafficfrom nationwide ISPs, an SNS worm on Windows, and an offline app installationand community promotion.

The malware appears to have been active for 10 monthsinitially made available via a porn app. Once it infects an iPhone, it will download,install and launch arbitrary iOS apps, replace existing apps with those itdownloads, hijack other apps' execution to display advertisements, changeSafari's default search engine, bookmarks and opened pages, and upload deviceinformation to an attacker's server.

The malware consists of four components that download andinstall each other. Security researcher Claude Xiao said in a blogthat this represents a new level of threat as it abuses private APIs to do so. Italso uses enterprise certificates to appear legitimate, as well as infectingjailbroken and non-jailbroken iPhones alike.

“YiSpecter is the first real world iOS malware that combinesthese two attack techniques and causes harm to a wider range of users. Itpushes the line barrier of iOS security back another step,” he said. “Even ifyou manually delete the malware, it will automatically re-appear.”

Three components hide icons from iOS Springboard (the appthat runs the iOS home screens). It even disguises itself with names and logosof other apps to avoid detection.

Research carried out by the firmfound that over 100 apps in the App Store have abused private APIs and bypassedApple's strict code review.

“What that means is the attackingtechnique of abusing private APIs can also be used separately and can affectall normal iOS users who only download apps from the App Store,” warned Xiao.

The firm has released IPS and DNSsignatures to block YiSpecter's malicious traffic. The blog also detailshow the malware can be removed from a device.

Mark James, security specialist atIT Security Firm ESET, told SCMagazineUK.comthat the delivery method is often used for delivering business apps notavailable on the app store that your business may need or use.

“The big safety bubble around iOSand iPhones may be starting to break down but you can still take measures toprotect yourselves by only downloading apps from the official store andchecking with your IT team if you need to download any apps from any othersources,” he said.

James said the malware was worsethat WireLurker as it combines more techniques for infecting your iPhone, thusenabling a much wider range of targets. “The use of private APIs enables themalware to gain control of already installed apps and users who previouslythought they were safe,” he added.

Gavin Reid, VP of threatintelligence at Lancope, told SCMagazineUK.comthat a maliciousmobile advertising company looks to be behind the attack. “The mainfunctionality would be to gather user information and send targeted and unaskedfor ads,” he said.

Reid urged organisations to check networktraffic to the known command and controls to verify if any users are impacted. “Never ever download IOS applications from sources other than the appstore,” he added.

Thomas Reed, Director of Mac Offerings atMalwarebytes, told SCMagazineUK.comthatalthough the specific behaviours of this malware are fairly unique, it still isno more able to install itself invisibly than any other iOS malware to-date. “It'ssigned with an enterprise provisioning profile, so the user must accept itsinstallation,” he said.

He added that two aspects of this areconcerning. “One is the difficulty of removing the malware - I'd recommend afull factory reset of the phone to be 100 per cent sure everything is wiped.”

“Second is the wide variety of ways thismalware has been spread, including incentives to get repair techs and the liketo install it on phones they "fix," and the hacking of ISP-injectedadvertising,” he added.

He said that these techniques are not likelyto spread to places like north America or western Europe, where tight controlsare in place to prevent this type of activity. “Still, that's of no help topeople in China who are affected by this,” warned Reed.

“Unfortunately, this attack is complicated bythe fact that there's no anti-malware software for iOS, and no way for anysoftware to scan iOS due to sandboxing restrictions.”

Winston Bond, European technical managerat Arxan, told SCMagazineUK.comthat the factthat YiSpecter is targeting non-jailbroken iOS devices might shake up convictionsthat Apple, or indeed any other vendor, can be relied on to look after you. “Thelongstanding assumption has tended to be that users who stick to terms ofservice and don't jailbreak their devices can count on being protected,” hesaid.

“Developers need to ensure their apps can lookafter themselves and protect user data from hackers who are becomingincreasingly inventive in finding flaws. Along with the recent XcodeGhostattack, YiSpecter proves that there is no such thing as guaranteed third-partyprotection. Advanced security measures such as application code hardening andwhite box cryptography should be used as standard during development to protectapplications from malicious attacks.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.