Malware + Security News

YiSpecter Malware Attacks iPhones and iPads to Serve up Ads

Posted on by


Just weeks after Apple was forced to rid its iOS App Store from apps poisoned by the XcodeGhost malware, and mere months after the tech company pulled all iOS anti-virus apps, a new attack has come to light impacting owners of iPads and iPhones, bringing into question the sanctity of Apple’s walled garden.

The new malware threat — which is capable of infecting iDevices whether they are jailbroken or not — has been named YiSpecter by security researchers at Palo Alto Networks, and a report in the Wall Street Journal says that it has been spread with the help of a Chinese advertising network.

YiSpecter is thought to have been spreading in-the-wild since at least November 2014, initially distributed as trojanised version of QVOD, a media player popular in China for watching porn videos. QVOD has since been discontinued after the Chinese authorities shut it down earlier this year, so it’s safe to assume that any QVOD video player should now be treated with suspicion.

However, the YiSpecter malware has also infected iPhones and iPads through other unusual means, including the hijacking of traffic from Chinese ISPs, a Windows-based social networking worm, third-party app stores and direct promotion of trojanised apps on social networks and forums.

Once in place the YiSpecter malware can install unwanted apps, replace legitimate apps with ones it had downloaded, display full-screen advertisements, meddle with Safari’s bookmarks and default search engine, and steal information about users. In a further flourish, YiSpecter can survive manual deletion from iOS devices by automatically reappearing.

Researchers have described how YiSpecter has pretended to be legitimate apps, including Phone, Weather, Game Center and Passbook on infected devices.

YiSpecter goes further than past attacks against non-jailbroken iPhones such as WireLurker, by not just taking advantage of certificates issued under Apple’s iOS Developer Enterprise Program to roll-out bespoke apps within companies, but also exploiting private APIs.

To date, it appears that YiSpecter has mostly affected users based in China and Taiwan, but clearly there is the potential for attacks like this to strike further afield.

Palo Alto Networks offers the following removal advice for any users who believe that their iDevices might be affected by YiSpecter:

  • In iOS, go to Settings -> General -> Profiles to remove all unknown or untrusted profiles;
  • If there’s any installed apps named “情涩播放器”, “快播私密版” or “快播0”, delete them;
  • Use any third-party iOS management tool (e.g., iFunBox, though note that Apple’s iTunes doesn’t work in this step) on Windows or Mac OS X, to connect with your iPhone or iPad;
  • In the management tool, check all installed iOS apps; if there are some apps have name like Phone, Weather, Game Center, Passbook, Notes, or Cydia, delete them. (Note that this step won’t affect original system apps but just delete faked malware.)

Intego’s Mac security products detect the malware as iOS/YiSpecter.

Although recent developments in the world of iOS malware may rattle some users’ confidence in the safety of the platform, it’s well worth remembering that the problem of malicious software is much more significant on the Android operating system. Thousands of new Android malware samples are being discovered all the time.

The good news for iOS users is that, for now at least, malware is a relative novelty.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →