YiSpecter: First malware attacks non-jailbroken iOS devices

A new iOS malware was reported to modify Safari’s defaults, install and replace legitimate apps with unwanted ones in victim’s’ mobile devices.

Both jailbroken and non-jailbroken iOS devices can be infected if users clicked in and downloaded a so-called free porn player app from unauthorized sites.

Cybersecurity firm Palo Alto Network identified the malware, YiSpecter, in their report On October 5, after it being in the wild for over 10 months in mainland China and Taiwan.

“I’ve never seen malware like this that can attack non-jailbroken iPhones as well,” said Mr Yao Chenghao, current web engineer in Baidu, an Online Technology Company.The new malware, YiSpecter, was hidden behind a pornographic video application.The new malware, YiSpecter, was hidden behind a pornographic video application.

YiSpecter can install apps and disguise themselves from detection by hiding the virus under an icon on iOS’s home screen, according to Palo Alto Networks.

The malware can hijack execution of other apps to display full-screen advertisements and change Safari’s bookmarks, search pages and opened pages.

“Even if you manually delete the malware, it will automatically re-appear,” said in Palo Alto Network’s report. “Using third-party tools you can find some strange additional ‘system apps’ on infected phones”.

YiSpecter abuses iOS’ private Application Programming Interface(API), a collection of basic functions to help developers write applications to accomplish its attack.

Also, the virus took advantage of Apple’s enterprise certificate, which was originally designed for organization to distribute internal apps to the employees.

“YiSpecter is the first one combined these (APIs and certificate) together to implement malicious behaviors,” said Mr Claud Xiao, security researcher at Palo Alto Networks.

YiSpecter13YiSpecter’s command and control server domain is a Chinese mobile advertisement platform named “YingMob Interaction”, which develops “iOS helper” for users to install paid apps freely without jailbreaking, said in the report.

The malware would ask the injected devices’ users to install the YingMob Interaction’s “iOS helper” frequently.

“This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources,” Apple commented later after the exploration of the malware. “We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware.”

Upgrading, however, might not be an effective way to prevent the attack as “YiSpecter pushed the line barrier of iOS security back another step,” according to Palo Alto Network’s report.

“There’re some way to bypass App Store’s code review,” said Mr Xiao. “Normal apps from App Store can also abuse private APIs. In this situation, there’s almost no action a normal user can take to avoid being affected.”

“We’ve suggested Apple to improve their code review procedures; their actions are also necessary,” he added.

No report so far have Hong Kong iOS users been attacked by the new malware, but “there is the possibility” according to the security researcher Mr Claud Xiao.

“I’m a little bit worry but since everybody uses iPhone, but what can I do?” said Mr Polly Tam, a Hong Kong iOS user.
The new malware, YiSpecter, was hidden behind a pornographic video application.

Report: Charlotte Yang; Writing: Julianna Wu; Animation & Photo: Sharon Shi 


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s