New Malware Called YiSpecter Is Attacking iOS Devices in China And Taiwan

Cybersecurity firm Palo Alto Networks has identified new malware, which it calls YiSpecter, that infects iOS devices by abusing private APIs. Most affected users live in China and Taiwan.

Update: Apple has confirmed to TechCrunch that iOS 9 prevents the class of issues caused by malware like YiSpecter. A good reason to always stay updated to the latest versions of iOS; YiSpecter, for instance only affects versions of iOS 8.3 and older, and can only take hold if users download apps from untrusted sources outside the App Store. Apple has revoked the certificates used for the apps that were distributing this malware.

Apple issued the following statement:

“This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources. We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps.”

Once it infects a phone, YiSpecter can install unwanted apps; replacing legitimate apps with ones it has downloaded; force apps to display full-screen advertisements; change bookmarks and default search engines in Safari; and send user information back to its server. It also automatically reappears even after users manually delete it from their iOS devices.

Palo Alto Networks says YiSpecter is unusual for iOS malware—at least ones that have been identified so far—because it attacks iOS devices by misusing private APIs to allow its four components (which are signed with enterprise certificates to appear legitimate) to download and install each other from a centralized server.

In the post, Palo Alto Networks’ security researcher Claud Xiao wrote that by abusing enterprise certificates and private APIs, YiSpecter is not only able to infect more devices, but “pushes the line barrier of iOS security back another step.”

Three of the components can hide their icons from iOS SpringBoard (the standard app that runs the home screen) and even disguise themselves with the names and logos of other apps to escape detection from users. Palo Alto Networks says the malware has been infecting iOS devices for over 10 months, but only one out of 57 security vendors in VirusTotal, a free scanning service, is currently detecting it.

YiSpecter first spread by masquerading as an app that allows users to view free porn. It then infected more phones through hijacked traffic from Internet service providers, a Windows worm that first attacked QQ (an IM service by Tencent), and online communities where users install third-party apps in exchange for promotion fees from developers.

Last month, another malware called XcodeGhost infected almost 40 popular apps in the Chinese App Store, which is very unusual because Apple first subjects apps to strict reviews. Despite the unique nature of both malware, however, Palo Alto Networks says there is no evidence that XcodeGhost and YiSpecter are related.

TechCrunch has contacted Apple for comment.

Palo Alto Networks’ blog post has more information on YiSpecter, as well as detailed steps for removing it from devices.