YiSpecter – First iOS Malware Infecting Both Jailbroken and Non-Jailbroken Devices to Spread Adware

4

Less than a month after Apple is recovering from one of their largest malware attacks on the app store ever, security researchers have discovered yet another piece of malware targeting both jailbroken and non-jailbroken iOS devices.

Just last month security researchers identified more than 4,000 apps in the Apple App store to be infected. Attackers targeted devices in a number of ways, more specifically, infecting developers software they use to develop iOS apps, with malware dubbed XcodeGhost.

Now, researchers from the California-based network security firm Palo Alto Networks have uncovered a new strain of malware that targets Apple iOS users through China and Taiwan.

YiSpecter, the name of the latest piece of malware to infect iOS devices has a number of capabilities, including:

  • Install unwanted apps
  • Replace official apps with the faulty ones YiSpecter downloaded
  • Force apps to display full-screen ads
  • Alter bookmarks and modify the default search engine in Safari
  • Send victims information back to attackers servers
  • Automatically continues to appear even after uninstallation from the iOS device

The number of affected users remains unclear, however, according to researchers, the first instance of this iOS malware targeting and successfully infecting a non-jailbroken iOS device dates back to sometime around November 2014.

“Whether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed,” Claud Xiao, a researcher at Palo Alto Networks, said in a blog post published Sunday. “Even if you manually delete the malware, it will automatically re-appear.”

YiSpecter malware targets both jailbroken as well as non-jailbroken iOS devices by abusing private APIs that allow the malware’s four components, which are signed by legitimate enterprise certificates that cost $299, to install from a centralized command-and-control server.

pia red

Three of YiSpecter’s four malicious components can be used to hide their app icon from your device on the home screen and can also masquerade itself as popular applications with logos and all, simply to evade user detection.

According to security researchers at Palo Alto Networks, YiSpecter has been actively targeting iOS devices for over 10 months now, where it first began spreading to devices by disusing itself as an app that lets users watch free porn.

pia red

The app attracted downloaders through ads that claimed it was a private version of a media player known as QVOD, a popular app developed by Kuaibo to share porn videos found on the web.

The malware can spread to iOS devices through a number of ways, which it is currently doing, including:

  • Hiajacking Internet Traffic from ISPs
  • A Windows worm that first attacked the Tencent’s instant messaging service known as QQ
  • Online communities where people install third-party apps for for monetary value

Security researchers have already turned their information on YiSpecter over to Apple, who said they are currently investigating the issue.

How to remove YiSpecter from your iOS Device

Users who believe they may have been infected by YiSpecter should follow our four-step process listed below. This should work for any and all iOS devices currently on the market:

  1. Head over to Settings > General > Profiles and remove all unknown or untrusted profiles
  2. Check for any apps named “情涩播放器”, “快播私密版” or “快播0”, and delete them
  3. You can use a third-party iOS management tool, such as iFunBox on Windows and Mac OS X to connect your iPhone
  4. In the tool, start looking for apps named Phone, Weather, Game Center, Passbook, Notes or Cydia, and delete them. (Note: Only fake malware will be deleted, official apps authentic to iOS cannot be deleted.)

YiSpecter is the latest in a noteworthy series of attacks recently launched against Apple platforms in the last few months.

[Photo via Kelvinsong/Wikimedia [CC BY 3.0]]

About Author

Brandon Stosh is the founder and CEO of www.freedomhacker.net. Stosh is a cyber security researcher and professional consultant who strives to provide reliable news on cyber-security based topics.

4 Comments

  1. I cant see any PROFILES option under “Head over to Settings > General > Profiles and remove all unknown or untrusted profiles”. Does that mean my iphone is clean?

Leave A Reply

Send this to friend