It seems Apple can’t get out of the news regarding security, recently hundreds of App Store apps were affected by the XcodeGhost malware and today we hear reports of another malware attacking iOS devices.
According to Palo Alto Networks, the YiSpecter malware has been in the wild for over 10 months and that only 1 of 57 security vendors in VirusTotal was able to detect the malware. YiSpecter consists of four different components that are signed with enterprise certificates, by abusing private APIs, these components download and install each other from a command and control server (C2). Three of the four components are able to hide their icons from iOS’s Springboard, which prevent users finding and deleting them. They are also able to use the same names and logos of stock iOS apps to trick users.
The YiSpecter malware is able to download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack apps to display advertisements, change Safari’s default search engine, bookmarks, and opened pages and even upload device information to a server.
The four components of YiSpecter:
NoIcon (bundle I.D: com.weiying.hiddenIconLaunch)
Is the malicious component of YiSpecter and can:
– Connect to the command and control server (C2)
– Upload basic device information
– Retrieve and execute remote commands
– Change Safari default configuration
– Silently install two other components of YiSpecter (AdPage & NoIconUpdate)
– Monitor installed apps to launch advertisements using the AdPage component
AdPage (bundle I.D: com.weiying.ad)
Is responsible for displaying advertisments when NoIcon hijacks the execution of legitimate apps
NoIconUpdate (bundle I.D: com.weiying.noiconupdate)
Checks the existence of the malware’s other components and reports the information to the C2 server. It also checks for and installs updates of the malware
YiSpecter uses “bb800.com” as its C2 server’s domain name. According to VirusTotal, there are 38 records of subdomains under this doman name and 16 of them have been used by Android Adware for years.
iosnoico.bb800.com – used to upload information, download configs and commands, download malicious components
qvod.bb800.com – used to download the main app
qvios.od.bb800.com – used to download the main app
dp.bb800.com – used to download promoted apps
iosads.cdn.bb800.com – used to download promoted apps and download malicious components
How you can protect yourself:
As the malicious apps of YiSpecter abuse private APIs and uses enterprise certificates, users will have to select “Continue” or “Quit” when running one of these malicious apps for the first time, so just select “Quit” when ANY app asks you for permission to run.
You can also head into Settings > General > Profiles to delete any unknown or untrusted profiles just for good measure.
Apple responds and says that a fix was released in iOS 8.4, so devices running iOS 8.4 and above are safe, so long as users don’t download stuff from untrusted sources.
You read more about YiSpecter and how it works over here.
To stay up to date with the latest news be sure to follow iOSDaily on Twitter