Palo Alto Networks, a Cybersecurity firm has identified a new iOS malware, which it calls YiSpecter, that infects devices running on Apple’s iOS by abusing private APIs with most affected users living in China and Taiwan.
YiSpecter is the first iOS malware that attacks non-jailbroken Apple devices. Once a device gets infected, YiSpecter can install replace legitimate apps with unwanted ones, force apps to display ads in full screen, change bookmarks and default search engines in Safari, and steal user information. It also reinstalls itself even after users uninstall it from their iOS device.
The Malware spreads via hijacking of traffic from national ISPs, an SNS worm on Windows, an offline app installation, and community promotion. The malware has been around for over 10 months and only one, out of 57 security vendors in VirusTotal is detecting the malware.
YiSpecter is made up of four separate components that are signed with enterprise certificates. These components, by abusing private APIs, download and install each other from a command and control (C2) server. Three of these malicious components are able to hide their icons from iOS’s SpringBoard, preventing the user from finding and removing them. The components also use the same name and logos of system apps to evade iOS power users. The malware exhibits other characteristics which include:
- The malware can be successfully downloaded and install whether the iPhone is jailbroken or not.
- The malware reappears even if it’s manually deleted.
- Using 3rd party tools will expose more strange “system apps” on infected phones.
YiSpecter first spread by masquerading as a free porn app. It infected more iPhones from IPSs, a Windows worm that once attacked QQ, and online communities where users install third-party apps in exchange for promotion fees from developers.
In the previous month, another malware called XcodeGhost infected almost 40 popular apps in the Chinese app store, which makes strange because Apple heavily scrutinizes apps before they make it to the store. Even though both apps are unique in nature, Palo Alto Networks says there is no evidence these two malwares are related.
Apple Addresses The Issue
Apple responded to this malware issue shortly after Palo Alto Networks reported it to them. This is what they stated:
“This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources. We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps.”
Prevention and Removal of Yispecter
Palo Alto Networks has released IPS and DNS signatures via their threat prevention product to detect and block malicious traffic related to YiSpector. To remove the malware, the following steps should be taken:
- Go to Settings > General > Profiles and remove all unknown or untrusted profiles.
- If there are any apps named 情涩播放器”, “快播私密版” or “快播0”, delete them.
- Use iFunbox, or any 3rd party management tool to connect to your iOS device.
- In the management tool, check all installed iOS apps; Delete the following apps: Phone, Weather, Game Center, Passbook, Notes, and Cydia. Note that deleting these won’t affect original system apps.
- Additionally, make sure your iOS, as well as other apps are always up to date.
To prevent being infected by this malware, don’t download iOS apps from untrusted sources and unknown developers. Always download apps from the Apple app store or download your organization’s apps under your IT department’s supervision.