A fresh Apple iOS malware has appeared on the scene, dubbed YiSpecter.
YiSpecter is different from previously seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices through unique malicious behaviors, according to Palo Alto networks. Specifically, it spreads via unusual means, including the hijacking of traffic from nationwide ISPs, an SNS worm on Windows, and an offline app installation and community promotion. It’s also the first malware seen in the wild that abuses private APIs in the iOS system to implement malicious functionalities.
So far, the malware primarily affects iOS users in mainland China and Taiwan. On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server.
“Many victims have discussed YiSpecter infections of their jailbroken and non-jailbroken iPhones in online forums and have reported the activity to Apple,” Palo Alto researchers said in an analysis. “The malware has been in the wild for over 10 months, but out of 57 security vendors in VirusTotal, only one is detecting the malware at the time of this writing.”
YiSpecter consists of four different components that are signed with enterprise certificates. By abusing private APIs, these components download and install each other from a command and control (C2) server. Three of the malicious components use tricks to hide their icons from iOS’s SpringBoard, which prevents the user from finding and deleting them. The components also use the same name and logos of system apps to trick iOS power users.
YiSpecter is the latest in a line of significant malware families to target iOS devices. Previously, the malware WireLurker demonstrated the ability to infected non-jailbroken iOS devices by abusing enterprise certificates.
“Academic researchers have discussed how private APIs can be used to implement sensitive functionalities in iOS,” the researchers noted. “However, YiSpecter is the first real world iOS malware that combines these two attack techniques and causes harm to a wider range of users. It pushes the line barrier of iOS security back another step.”