Apple’s reputation, earned or not, of having a secure mobile operating system is being put to the test these past few months. There have been several cases of malware infecting jailbroken phones and the infection of XCode (the foundation iOS apps are built on) itself. Now a new iOS malware YiSpecter is out in the wild according to security experts at Palo Alto Networks. This new malware for iOS is much different in that it infects both jailbroken and stock iOS devices. This means everyone owning an iPhone could be at risk of being infected. The malware abuses private API’s in iOS to implement malicious functionality.
Right now it seems users and China and Taiwan are being hit, no reports of the malware have been seen elsewhere as of yet. The malware spreads through several means including hijacking of nationwide ISP traffic, injection through an SNS worm in Windows and an offline app installation and community promotion. The interesting thing is, the malware has been circulating now for 10 months and users have reported the incidents to Apple.
YiSpecter consists of four different components that are signed with enterprise certificates. By abusing private APIs, these components download and install each other from a command and control (C2) server. Three of the malicious components use tricks to hide their icons from iOS’s SpringBoard, which prevents the user from finding and deleting them. The components also use the same name and logos of system apps to trick iOS power users.
On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server. According to victims’ reports, all these behaviors have been exhibited in YiSpecter attacks in the past few months. Some other characteristics about this malware include:
Whether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed
Even if you manually delete the malware, it will automatically re-appear
Using third-party tools you can find some strange additional “system apps” on infected phones
On infected phones, in some cases when the user opens a normal app, a full screen advertisement will show
Palo Alto Networks has released IPS and DNS signatures to block YiSpecter’s malicious traffic. The larger question here is, if users in both China and Taiwan have been chattering about this issue on online forums and have reported it to Apple. Why has Apple not patched the issue? Generally Apple has been known to take care of security issues fairly swiftly but this has been ongoing for 10 months. In the meantime the malware hasn’t been spotted anywhere else but know that you are still at risk.Source: Palo Alto Networks