Network security firm, Palo Alto Networks has discovered a new malware, monikered YiSpecter that infects iOS devices by abusing private APIs. Most affected users live in China and Taiwan.
Once YiSpecter infects a phone, it can install unwanted apps; replacing genuine apps with ones it has downloaded, send user information back to its server. It can force apps to show full-screen advertisements, change default search engines and bookmarks.
The malware automatically reappears even after users manually delete it from their iOS devices.
YiSpecter attacks jailbroken and non-jailbroken iOS devices
According to Palo Alto Networks, it an unusual iOS malware, since it both attacks jailbroken and non-jailbroken iOS devices by misusing private APIs to allow its four components to download and install each other from a centralized server.
Claud Xiao, security researcher at Palo Alto Networks’ wrote in a post that by abusing enterprise certificates and private APIs, the malware is not only able to infect more devices, but push the line barrier of iOS security back another step.
Three of the components can hide their icons from iOS SpringBoard (more commonly known as Home screen) and even mask themselves with the names and logos of other apps to prevent detection from users. The malware has been infecting iOS devices for more than 10 months, but only one out of 57 security vendors in Virus Total (a website for free checking of files for viruses) is detecting it.
YiSpecter found its way onto iPhones by masquerading as a free porn app. It then infected more phones via hijacked traffic from ISPs, a Windows worm that first attacked QQ (an instant messaging service by Tencent), and online communities where users install third-party apps in exchange for promotion fees from developers.
In September, 2015, Apple confirmed an unusual security breach in its Chinese App Store, infecting nearly 4,000 apps including WeChat, Didi Kuaidi (an Uber-like car service app), CamCard (business card scanning app) with malware called ‘XcodeGhost.’ The malware developers into downloading a compromised version of Apple’s Xcode developer tool-kit. The breach was first discovered by researchers at Alibaba Mobile Security. In spite of the unusual nature of both the malware, Palo Alto Networks says there is no confirmation of relation between the two.
Palo Alto Networks’ blog post has lined out detailed information on removing YiSpecter from devices.
