Just weeks after Apple was forced to rid its iOS App Store from apps poisoned by the XcodeGhost malware, and mere months after the tech company pulled all iOS anti-virus apps, a new attack has come to light impacting owners of iPads and iPhones, bringing into question the sanctity of Apple’s walled garden.
The new malware threat — which is capable of infecting iDevices whether they are jailbroken or not — has been named YiSpecter by security researchers at Palo Alto Networks, and a report in the Wall Street Journal says that it has been spread with the help of a Chinese advertising network.
YiSpecter is thought to have been spreading in-the-wild since at least November 2014, initially distributed as trojanised version of QVOD, a media player popular in China for watching porn videos. QVOD has since been discontinued after the Chinese authorities shut it down earlier this year, so it’s safe to assume that any QVOD video player should now be treated with suspicion.
However, the YiSpecter malware has also infected iPhones and iPads through other unusual means, including the hijacking of traffic from Chinese ISPs, a Windows-based social networking worm, third-party app stores and direct promotion of trojanised apps on social networks and forums.
Once in place the YiSpecter malware can install unwanted apps, replace legitimate apps with ones it had downloaded, display full-screen advertisements, meddle with Safari’s bookmarks and default search engine, and steal information about users. In a further flourish, YiSpecter can survive manual deletion from iOS devices by automatically reappearing.
Researchers have described how YiSpecter has pretended to be legitimate apps, including Phone, Weather, Game Center and Passbook on infected devices.
YiSpecter goes further than past attacks against non-jailbroken iPhones such as WireLurker, by not just taking advantage of certificates issued under Apple’s iOS Developer Enterprise Program to roll-out bespoke apps within companies, but also exploiting private APIs.
To date, it appears that YiSpecter has mostly affected users based in China and Taiwan, but clearly there is the potential for attacks like this to strike further afield.
Palo Alto Networks offers the following removal advice for any users who believe that their iDevices might be affected by YiSpecter:
- In iOS, go to Settings -> General -> Profiles to remove all unknown or untrusted profiles;
- If there’s any installed apps named “情涩播放器”, “快播私密版” or “快播0”, delete them;
- Use any third-party iOS management tool (e.g., iFunBox, though note that Apple’s iTunes doesn’t work in this step) on Windows or Mac OS X, to connect with your iPhone or iPad;
- In the management tool, check all installed iOS apps; if there are some apps have name like Phone, Weather, Game Center, Passbook, Notes, or Cydia, delete them. (Note that this step won’t affect original system apps but just delete faked malware.)
Intego’s Mac security products detect the malware as iOS/YiSpecter.
Although recent developments in the world of iOS malware may rattle some users’ confidence in the safety of the platform, it’s well worth remembering that the problem of malicious software is much more significant on the Android operating system. Thousands of new Android malware samples are being discovered all the time.
The good news for iOS users is that, for now at least, malware is a relative novelty.