YiSpecter targets all types of iOS devices to perform all types of malicious activity, including app deletion, data theft and setting changes
Security researchers have discovered a piece of iOS malware that attacks both jailbroken and non-jailbroken iPhone and iPad devices and is capable of performing a range of malicious activities.
YiSpecter has been in the wild for ten months, according to Palo Alto Networks, with iOS users in China and Taiwan the most commonly affected. It spreads by hijacking ISP traffic, as an SNS worm on Windows, through offline installation – a method used by businesses to install custom apps not available on the app store – and through community promotion such as online forums.
Palo Alto Networks says the threat is the first instance of iOS malware that abuses private APIs to carry out its acts.
Apple says it is aware of the vulnerability and fixed it in iOS 8.4.
“This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources. We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware,” Apple told TechWeekEurope. “We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps.”
YiSpecter can download, install and launch applications, replace existing apps, hijack app execution to display adverts, change the default search engine, bookmarks and open pages in Safari and upload user information to a remote server.
The software can conceal its icons from users so it can’t be deleted and is even capable of using the same icons and names of existing apps – making it difficult to identify. Researchers say it can reappear even if it is manually deleted from the device.
“YiSpecter is the latest in a line of significant malware families to target iOS devices,” said Palo Alto Networks. “Previously, the malware WireLurker demonstrated the ability to infected non-jailbroken iOS devices by abusing enterprise certificates, and academic researchers have discussed how private APIs can be used to implement sensitive functionalities in iOS.
“However, YiSpecter is the first real world iOS malware that combines these two attack techniques and causes harm to a wider range of users. It pushes the line barrier of iOS security back another step.
“Moreover, recent research shows that over 100 apps in the App Store have abused private APIs and bypassed Apple’s strict code review. What that means is the attacking technique of abusing private APIs can also be used separately and can affect all normal iOS users who only download apps from the App Store.”
Growing iOS threat
Despite Apple’s assertion the threat has been fixed, YiSpecter is the latest in a series of threats affecting Apple’s mobile operating system, shattering the platform’s popular perception as impenetrable, most notably the first major attack on the App Store.
Separately, the emergence of a number of Mac OS X vulnerabilities and Apple’s apparent lack of response have heaped scrutiny over Cupertino’s approach to security.
“People often forget or ignore the usual concerns, which they would pay attention to when using a desktop, thinking they don’t apply to mobiles,” said Mark James, security specialist at ESET. “This particular strain of iOS malware can affect almost any iPhone, including non-jailbroken devices.”
“It’s worse in the fact it combines more techniques for infecting your iPhone, thus enabling a much wider range of targets. The use of private APIs enables the malware to gain control of already installed apps and users who previously thought they were safe.
“The big safety bubble around iOS and iPhones may be starting to break down but you can still take measures to protect yourselves by only downloading apps from the official store and checking with your IT team if you need to download any apps from any other sources.”
Are you a security pro? Try our quiz!