Security site ‘Palo Alto Networks’ put out a warning that an iOS malware that cleverly can infect “non-jailbroken” Apple devices using enterprise certificates and private APIs has been infecting iPhones for 10 months and could herald a new era of iOS threats.
The scourge, called YiSpecter, originated in Taiwan, moved on to China and then was released outside of Asia by hijacking web traffic from ISPs and offline app installation.
The vicious malware is transmitted uses WiFi and mobile networks to download, install, and launch apps, doing things like replacing existing apps, displaying advertisements in legitimate apps, changing Safari’s default engine, and uploading user information to remote servers, according to PA Networks.
YiSpecter spread rapidly by masquerading as an app that allows users to view free porn. It then infected more phones through hijacked traffic from Internet service providers and underground app distribution websites where online communities can install third-party apps in exchange for promotional fees.
Apple has announced on their website that iOS 9 can prevent the class of issues caused by malware like YiSpecter. Apple commented that it is a good practice to automatically stay updated with the most recent iOS release.
YiSpecter can only attack Apple devices running versions of iOS 8.3 and older, and can only be infected if users download apps from untrusted sources outside the App Store. Apple is believed to be revoking the certificates for apps used by the malware for hitchhiking.
Apple released an official statement about YiSpecter in Loop Insight:
“This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources. We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps.”
Palo Alto Networks stated that YiSpecter is perhaps the most destructive iOS malware to date, because it attacks iOS devices by misusing private APIs to allow its four components, which are signed with enterprise certificates to appear legitimate, to download and install each other from a centralized server.
In its post, Palo Alto Networks’ security researcher Claud Xiao wrote that by abusing enterprise certificates and private APIs, YiSpecter is not only able to infect more devices, but “pushes the line barrier of iOS security back another step.”
Once an iPhone is infected, YiSpecter can install unwanted apps, substitute legitimate apps with ones it downloads; force apps to display full-screen advertisements; change bookmarks and default search engines in Safari; and send user information back to its server. It tends to reappears after users manually delete it from their iOS devices.
Three of the YiSpecter components can hide their icons from the standard iOS app that runs the home screen, called SpringBoard. The malware can cloak itself by adopting the logos of other legitimate apps to avoid detection.
Palo Alto Networks said the malware has been infecting iOS devices for over 10 months, but only 2 percent of the 57 security vendors in VirusTotal free scanning service can currently detect YiSpecter.
Palo Alto Networks website has released detailed technical IPS and DNS signatures to block any YiSpecter traffic. The site also contains instructions on how users can manually remove YiSpecter and avoid potential similar attacks in the future. But PA Networks believes similar versions of the malicious YiSpecter may also be released.