Palo Alto Networks has detected a malware capable of attacking even those non-jailbroken iOS devices. The researchers have named the malware as YiSpecter. It follows unique methods that involves exploiting private APIs in iOS and infecting them. Private APIs are undocumented by Apple and, therefore, avoid being detected. Apple’s App Store has around 100 such applications.
Claud Xiao, a researcher from Palo Alto stated, “What that means is the attacking technique of abusing private APIs can also be used separately and can affect all normal iOS users who only download apps from the App Store.” It is the first time a malware capable of infecting both jailbroken as well as non-jailbroken iPhones and iPads.
- The malware has four components with enterprise certifications.
- These components exploit private APIs and download on the targeted devices.
- Through a command and control server (C2), these components install each other.
- Three of these components remain hidden from SpringBoard of iOS.
- It prevents their detection and deletion.
- The components use logos and names similar to system applications to avoid detection.
- Once installed, the malware gets a complete access to the device and can download and install apps, delete existing apps, make changes to the system settings and transmit the device details to the C2 server.
YiSpecter has some unique features. It can infect any iOS device irrespective of the fact whether it is jailbroken or not. Even if a user manually deletes YiSpecter, it reappears automatically. It installs additional apps on the infected devices that behave strangely and displays full-screen advertisements even when a user opens a normal app on the phone. Palo Alto has revealed the details of the DNS and IPS signatures for blocking the traffic of the malware.
YiSpecter is the latest in the line of malware that have presented a grave danger to iOS operated devices. A malware termed WireLurker displayed a similar capability of infecting iOS devices that were non-jailbroken. It exploited the enterprise certificates to infect devices. Another malware, XcodeGhost directly targeted Apple app developers in China. Chinese app developers downloaded infected Xcodes from sites other than Apple’s. These Xcodes looked similar to official Xcodes and hence the developers could not differentiate them from the original. When they developed Apple apps using the forged Xcodes, these apps were infected with malicious codes. Developers unaware of the threats uploaded these infected apps on the App Store and users downloaded and installed these apps on their devices.
Researchers at Palo Alto believe that XcodeGhost and YiSpecter are unrelated despite the similarity that both of them infect non-jailbroken devices. YiSpecter is the biggest threat to iOS security. It combines the two techniques – using enterprise certificates and exploiting private APIs. An attack of this nature is unprecedented and creates serious concerns about the security of Apple devices.
The spread of the malware began in November last year. Researchers at Cheetah Mobile and Qihoo 360, two Chinese software companies, detected a malware early this year and named it Lingdun worm. But they did not reveal many details about its functionalities. Lingdun worm is now a part of YiSpecter
A malware has always been a major threat to devices, data and user accounts; but the threat increase manifold when a malware is more subtle and deep rooted like the one in an app creation tool! Such threats are real and already exist. XcodeGhost is an example of such malware. The counterfeit Xcode, termed as […] Continue reading →
Mark Dowd, the head of Australia based Azimuth security has stated that there is a vulnerability in AirDrop, the file sharing service of Apple which allows unauthorized access to the device that can be used for the installation of malware. A user with an AirDrop configuration allowing file sharing with anyone and not merely their […] Continue reading →
Researchers from University of California, San Diego have demonstrated to hack Corvette by sending specially crafted SMS messages to a tracking dongle plugged to the car’s OBD-II (On-Board Diagnostics port). In a youtube video ( below) demonstrating the exploit, the researchers operated the windshield wipers, applied and deactivated the brakes at lower speeds. ( Dongle is a […] Continue reading →
Author : Arun Hegde , Security Architect @arun25 Here is a quick summary about my experience at RSA Conference 2014 – San Francisco last month Highlights of RSA 2014 : Some of the highlights at this year at RSA was cloud security, mobile security ( specially for enterprise), more companies providing SIEM solutions and lot of new […] Continue reading →
CoinThief, a Bitcoin-stealing Trojan targeting Mac users, was discovered offering on several download websites such as CNET’s Download.com and MacUpdate.com. It was also available masquerading as pre compiled binaries in multiple GitHub projects. The malware variant installs a browser extensions for Safari and Google Chrome to monitor all web browsing traffic, specifically looking for login […] Continue reading →
Its almost sounded unbelievable when Kaspersky research published a cyber espionage APT campaign MASK (Careto) that’s been running in the wild since 2007, undetected, targeting 31 countries. The complexity of the tools used for MAST by the attackers are very sophisticated which makes its very special. This includes an extremely sophisticated piece of malware, a […] Continue reading →
Bradley Williams, a security researcher has discovered a vulnerability in iOS 7 that can allow the disabling of ” Find My iPhone” without having to enter a password. This new vulnerability allows someone who has access to your i-phone to quickly disable “Find My iPhone” service, which is used to track the location of all registered […] Continue reading →
Jamie Sanchez, a security researcher discovered a vulnerability within Snapchat mobile app which can crash your iphone by Denial of Service attack. The vulnerability can enable a hacker to launch DoS attacks which can potentially crash a users phone or requires that the user perform a hard reset. He further says with a video that […] Continue reading →
Security researcher Daniel E. Wood discovered that Starbucks IoS App stores username, email address and passwords in clear text(CVE-2014-0647) . Starbucks mobile payment apps are used widely by customers for its easiness to buy privileges. However this disclosure comes with a surprise because all the customer data gets stored in plain text and easily available for […] Continue reading →