YiSpecter Malware Sneak Attacks Non-Jailbroken iPhones In China And Taiwan

The researchers at Palo Alto Networks are working overtime thanks to plenty of new mobile exploits creeping up seemingly every day. Recently, the firm has been responsible for a couple of big stories revolving around Apple's iOS. Back in August, it found that over 225,000 Apple accounts were stolen from jailbroken devices, and just a couple of weeks ago, it clued us in to the XcodeGhost malware, which Apple itself managed to let slip into its official store.

Now, we're given news of more malware, but fortunately for those outside of Asia, it looks like there's no reason for concern. However, this malware is able to affect non-jailbroken devices, so it is still a topic that needs to watched very closely.

Palo Alto Networks dubs this new malware YiSpecter, and as mentioned, it can affect stock devices (and jailbroken ones alike). Interestingly, it's the first malware the company's noted that abuses private APIs in iOS in order to get its job done. So far, the firm says that only users in China and Taiwan have been affected.

iOS Malware Internet Hijacking Large
One of YiSpecter's attack vectors is through traffic hijacking

Another reason for concern is the fact that this malware can be installed with the help of traffic hijacking, an SNS worm on Windows, offline app installation, and community promotion. The firm notes that as of today, Virus Total, a Web service that scans files from myriad virus scanners, only returns one detection (out of 47).

Because YiSpecter can take advantage of system APIs, it can pull off a number of different tasks, including replacing installed apps with infected ones, installing unique apps that it can hide from view, change Safari's default search engine, show advertisements, and so forth. Generally speaking, this would be a serious nuisance, and it's one that's taken about ten full months to discover.

Enterprise Certificates
Part of this malware, NoIcon, used an enterprise certificate

Palo Alto Networks notes that there exist 100 apps in the official App Store that abuse private APIs in much the same way as this malware, and despite Apple's strict code review, they've still managed to get through.

It's not mentioned whether or not Apple is on the case of squashing whatever bug allows these exploits to happen, but the company typically wastes no time on these things. Given what this malware can do, we'd have to imagine this time will be no different. If you want to read some serious depth into YiSpecter, be sure to hit up the link below (you might need two cups of coffee to finish).


Show comments blog comments powered by Disqus