iPad Guild

Doing More With iPad

YiSpecter: A new malware that attacks non-jailbroken iOS devices

Yup, you read that correctly, YiSpecter (that’s what they’re calling it) is a new iOS malware that is able infect non-jailbroken devices and it does so by abusing private APIs. This is the first of it’s kind, usually jailbroken devices are targeted but it seems now stock devices could also be at risk. Full story after the jump…

It seems Apple can’t get out of the news regarding security, recently hundreds of App Store apps were affected by the XcodeGhost malware and today we hear reports of another malware attacking iOS devices.

According to Palo Alto Networks, the YiSpecter malware has been in the wild for over 10 months and that only 1 of 57 security vendors in VirusTotal was able to detect the malware. YiSpecter consists of four different components that are signed with enterprise certificates, by abusing private APIs, these components download and install each other from a command and control server (C2). Three of the four components are able to hide their icons from iOS’s Springboard, which prevent users finding and deleting them. They are also able to use the same names and logos of stock iOS apps to trick users.

The YiSpecter malware is able to download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack apps to display advertisements, change Safari’s default search engine, bookmarks, and opened pages and even upload device information to a server.

The four components of YiSpecter:
NoIcon (bundle I.D: com.weiying.hiddenIconLaunch)
Is the malicious component of YiSpecter and can:
– Connect to the command and control server (C2)
– Upload basic device information
– Retrieve and execute remote commands
– Change Safari default configuration
– Silently install two other components of YiSpecter (AdPage & NoIconUpdate)
– Monitor installed apps to launch advertisements using the AdPage component

AdPage (bundle I.D: com.weiying.ad)
Is responsible for displaying advertisments when NoIcon hijacks the execution of legitimate apps

NoIconUpdate (bundle I.D: com.weiying.noiconupdate)
Checks the existence of the malware’s other components and reports the information to the C2 server. It also checks for and installs updates of the malware

C2 Server
YiSpecter uses “bb800.com” as its C2 server’s domain name. According to VirusTotal, there are 38 records of subdomains under this doman name and 16 of them have been used by Android Adware for years.
iosnoico.bb800.com – used to upload information, download configs and commands, download malicious components
qvod.bb800.com – used to download the main app
qvios.od.bb800.com – used to download the main app
dp.bb800.com – used to download promoted apps
iosads.cdn.bb800.com – used to download promoted apps and download malicious components

How you can protect yourself:
As the malicious apps of YiSpecter abuse private APIs and uses enterprise certificates, users will have to select “Continue” or “Quit” when running one of these malicious apps for the first time, so just select “Quit” when ANY app asks you for permission to run.

You can also head into Settings > General > Profiles to delete any unknown or untrusted profiles just for good measure.

[UPDATE]
Apple responds and says that a fix was released in iOS 8.4, so devices running iOS 8.4 and above are safe, so long as users don’t download stuff from untrusted sources.

You read more about YiSpecter and how it works over here.

To stay up to date with the latest news be sure to follow iOSDaily on Twitter

About Chris Wilson

Get your free 18 Must iPad Apps Guide

IMG_0759

This short guide has 18 powerful iPad apps that can help you doing more with your iPad. Just sign up and we'll send the guide to you.

 

Leave a Reply