New Malware Targeting iOS Devices, Even Non-Jailbroken Ones
If you thought having a locked iPhone and only buying apps that have been approved for the Apple App Store kept your device safe, think again. A new bit of malware named YiSpecter discovered by security firm Palo Alto Networks uses the private API of the iOS to infect even devices that haven’t been jailbroken.
“It’s the first malware we’ve seen in the wild that abuses private APIs in the iOS system to implement malicious functionalities,” Claud Xiao, a security researcher at Palo Alto Networks, wrote on the company’s blog. Unlike previous malware targeting iOS devices, YiSpecter can threaten both jailbroken and non-jailbroken devices.
Unusual Transmission Methods
The malware has been active in the wild for more than 10 months, but so far most security vendors are not able to detect it. At the moment, YiSpecter seems to be mostly confined to iOS devices in China and Taiwan.
YiSpecter seems to have some rather unusual methods of transmission, such as hijacking traffic from Internet service providers, offline app installation, and via community promotions. The malware consists of four components, each one signed with an enterprise certificate. Any one component is able to download the remaining components from a command and control server by using iOS’ private APIs.
“Three of the malicious components use tricks to hide their icons from iOS’ SpringBoard, which prevents the user from finding and deleting them,” Xiao said. “The components also use the same name and logos of system apps to trick iOS power users.”
A Deadly Combination
Once installed on a device, YiSpecter can download, install, and launch arbitrary apps, hijack other apps’ execution, and upload device information to the command and control server. Even if users manually delete the malware, it will automatically reappear on their devices. Some users say they’ve also encountered new, full-screen advertisements when opening one of their other apps.
The discovery of YiSpecter follows the WireLurker malware infection -- identified in November -- which also targeted non-jailbroken iOS devices by using enterprise certificates. And last month, more than 4,000 apps on the Apple App Store were found to be infected with the XcodeGhost malware.
But YiSpecter is the first piece of malware that has successfully combined the use of enterprise certificates with the manipulation of private APIs to implement sensitive functionalities in iOS. The result is a piece of malware that is potentially far more dangerous than anything seen before. “It pushes the line barrier of iOS security back another step,” Xiao said.
Apple has been notified about the malware, and Palo Alto Networks has released IPS and DNS signatures that block YiSpecter’s network traffic. Apple has already improved enterprise certificate security in the recently released iOS 9, which requires users to manually identify providers as “trusted” in settings before they can install enterprise-provisioned apps.