Palo Alto Networks has detected a malware capable of attacking even those non-jailbroken iOS devices. The researchers have named the malware as YiSpecter. It follows unique methods that involves exploiting private APIs in iOS and infecting them. Private APIs are undocumented by Apple and, therefore, avoid being detected. Apple’s App Store has around 100 such applications.
Claud Xiao, a researcher from Palo Alto stated, “What that means is the attacking technique of abusing private APIs can also be used separately and can affect all normal iOS users who only download apps from the App Store.” It is the first time a malware capable of infecting both jailbroken as well as non-jailbroken iPhones and iPads.
(Image: intego.com)
Attack Scenario
- The malware has four components with enterprise certifications.
- These components exploit private APIs and download on the targeted devices.
- Through a command and control server (C2), these components install each other.
- Three of these components remain hidden from SpringBoard of iOS.
- It prevents their detection and deletion.
- The components use logos and names similar to system applications to avoid detection.
- Once installed, the malware gets a complete access to the device and can download and install apps, delete existing apps, make changes to the system settings and transmit the device details to the C2 server.
YiSpecter has some unique features. It can infect any iOS device irrespective of the fact whether it is jailbroken or not. Even if a user manually deletes YiSpecter, it reappears automatically. It installs additional apps on the infected devices that behave strangely and displays full-screen advertisements even when a user opens a normal app on the phone. Palo Alto has revealed the details of the DNS and IPS signatures for blocking the traffic of the malware.
YiSpecter is the latest in the line of malware that have presented a grave danger to iOS operated devices. A malware termed WireLurker displayed a similar capability of infecting iOS devices that were non-jailbroken. It exploited the enterprise certificates to infect devices. Another malware, XcodeGhost directly targeted Apple app developers in China. Chinese app developers downloaded infected Xcodes from sites other than Apple’s. These Xcodes looked similar to official Xcodes and hence the developers could not differentiate them from the original. When they developed Apple apps using the forged Xcodes, these apps were infected with malicious codes. Developers unaware of the threats uploaded these infected apps on the App Store and users downloaded and installed these apps on their devices.
Researchers at Palo Alto believe that XcodeGhost and YiSpecter are unrelated despite the similarity that both of them infect non-jailbroken devices. YiSpecter is the biggest threat to iOS security. It combines the two techniques – using enterprise certificates and exploiting private APIs. An attack of this nature is unprecedented and creates serious concerns about the security of Apple devices.
The spread of the malware began in November last year. Researchers at Cheetah Mobile and Qihoo 360, two Chinese software companies, detected a malware early this year and named it Lingdun worm. But they did not reveal many details about its functionalities. Lingdun worm is now a part of YiSpecter
