Posted on 10/05/2015 11:30:57 AM PDT by Swordmaker
World where only jailbroken iThings were vulnerable is 'thing of the past'
The first iOS malware capable of attacking both non-jailbroken and jailbroken devices has surfaced online.
The mobile malware nasty - YiSpecter - hooks into private APIs in the iOS system to implement malicious actions has been in the wild for at least 10 months, mostly in China and Taiwan, since November 2014 if not earlier.
YiSpecter uses a battery of unusual tricks to spread itself. Distribution tactics include hijacking of traffic from nationwide ISPs, a worm on Windows, and an offline app installation and a community promotion. Initially the malware spread by posing as a “private version” or “version 5.0” of a famous but discontinued media player QVOD that offered the ability to watch porn videos online. Spreading tactics have evolved towards greater sophistication and diversity.
YiSpecter consists of four different components that are signed with enterprise certificates, according to security researchers at Palo Alto Networks, who add that the malware uses a variety of tricks to hide its presence on compromised systems, such as the use of the same name and logos as system apps and hiding their icons from iOS’s SpringBoard, which prevents the user from finding and deleting them. Once installed the malware mounts a variety of cybercrime scams, as detailed in a blog post by Palo Alto Networks.
On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 [command and control] server.
Whether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed. Experience from victims suggests that even if you manually delete the malware, it will automatically re-appear. Manually removing YiSpecter is tricky but possible, according to Palo Alto, which has published some instructions.
iOS had remained (almost) malware-free for years. However YiSpecter is the latest of a relatively small but growing collection of malware families to target iOS devices. WireLurker previously demonstrated the ability to infected non-jailbroken iOS devices by abusing enterprise certificates. Academic researchers have discussed how private APIs can be used to implement sensitive functionalities in iOS. YiSpecter is the first real world iOS malware that combines these two attack techniques, according to Palo Alto.
Palo Alto Networks has released IPS (intrusion prevention system) and DNS signatures to block YiSpecter’s malicious traffic. Apple has also been notified about the outbreak.
Last month Palo alto warned of an OS X and iOS malware named XcodeGhost. Developers who relied on this malicious version of Apple’s Xcode developer tool produced apps with a built-in backdoor. Again the issue was largely confined to China but security researchers reckon the two problems are NOT related.
“While YiSpecter and XcodeGhost both attacked non-jailbroken iOS devices, they are not related to each other,” Palo Alto said. “We believe that YiSpecter and XcodeGhost were developed by different attackers and there is no evidence of cooperation between the two developers so far.”
If anything, YiSpecter poses a greater risk to iPhone and iPad (fondleslab) security.
“The world where only jailbroken iOS devices were threatened by malware is a thing of the past,” Palo Alto concludes. “WireLurker proved that non-jailbroken iOS devices can also be infected through abuse of the enterprise distribution mechanism. YiSpecter further shows us that this technique is being used to infect many iOS devices in the wild.”
“The key techniques deployed in YiSpecter are bypassing App Store reviews using enterprise distribution and abusing iOS private APIs to perform sensitive operations,” it adds. ®
http://www.macrumors.com/2015/10/05/apple-yispecter-malware-fix-ios-8-4/
Yup, the usual.
You have to use an old version of iOS (before 8.4).
You have to get an app from an untrusted source.
You have to consent to actively warned-against actions.
That’s like taking a mysterious box from an unlicensed cabbie who tells you to sneak the package onto an airplane... then being surprised the plane blows up.
Play stupid games, win stupid prizes.
There’s a reason half of all mobile device users opt for the walled garden.
Much thanks to CTDonath2 for finding Apple's response to this FUD malware announcement.
If you want on or off the Mac Ping List, Freepmail me.
I was right. . . YiSpecter’s FUD. . . Apple had closed this oh-so-frightening vulnerability in June with the release of iOS 8.4. . . and it is a re-thinking of the side-loading. The anti-malware company had to know this before they made their breathless, hyperbole laden announcement that “no iPhone is safe!” and their entire intent is to sell their anti-malware product. BAH! More proof you have to take ANY Apple Malware announcement with a 100 pound block of salt worth of skepticism!
That’s GREAT news. Thanks for the update!
Nows a good time to junk your iPhone. Amazon will take it in as a trade in for a new Samsung Note or Galaxy.
Uh, you are late to the game. . . this turned out to be a FUD announcement. Apple had closed this potential THREE MONTHS AGO. So sorry to disappoint you.
Anytime is a good time to scrap your iPhone
As one who writes iOS apps for a living, PLEASE update all apps (and operating systems) to the latest version whenever possible. We software engineers are literally spending our careers trying to give you the best software we can, and it's obnoxiously frustrating to get ongoing feedback that you're suffering from a bug which we fixed months ago (I get crash reports, so I know). If you're the nervous type holding to "let someone else find the new bugs, I don't wanna be the guinea pig" then wait a few weeks to see if a quick followup occurs (yeah, sometimes I find something wrong and push a new release out ASAP); if a version is stable for a month, it's better than whatever you're running now.
(BTW: update hardware too. If you're seriously using a device every day, figure it's worth at least $1/day to you - and go buy a new one accordingly. I know an iPhone 6S is around $650, but surely that's worth a buck a day for two years. I can only support so many versions of iOS back (big changes under the hood each time), and if you can't update your hardware to the latest iOS then you're not going to get my new features & fixes.)
But then I’d have to use an Android.
If your latest & best “so switch to Android already!” excuse is already obsolete by months the moment it surfaces, maybe better for you to reconsider your anti-Apple crusade.
Thanks for posting Swordmaker. Nice to have a good source of accurate info.
LOL!
What areas do you IOS write apps for? I understand you might want to keep your privacy on this:)
Not sure if it is related - but when my wife updated her iPhone 6 to iOS9, her search engine in Safari changed from Google to Yahoo. I kind of figured it had something to do with Apple and Google’s strained relations. Maybe Swordmaker has a clue?
Didn’t the article imply that the bulk of the insertions of this malware come via an app to view porn???? Just saying’
LOL
Hi, Sword,
I was wondering if you knew: I ordered an iPhone 6+s in space grey two weeks ago, from US Cellular, and they tell me they have no shipping date estimate, no tracking number, and I can get it anywhere from three weeks to ? months from now.
Is it normal for the new iPhones to be so back-ordered, or is US Cellular so small potatoes that Apple doesn’t care about shipping backordered phones to their customers in a timely fashion?
Thanks!
And by the way THANK YOU for your Mac pings, they really help us Mac designers/users!
Ed
Hey, CT,
What are some apps you’ve written?
I use tons of apps, from Gaia to Olive Tree to Heart Wise and Star Walk, Tour Tracker (the TDF) and many others...
Ed
Our cloud service brings enterprise data to mobile devices. Rather than a business spending piles of $$$ to develop their own custom app (and they’re anything _but_ mobile device software developers), we plug a virtual box into their data center and they get to easily customize their user interface running on our app. Our clients range up to Fortune 50 corporations (and steadily rising), industries as varied as medical providers, rock quarries, major charities, etc. We’ve saved & made clients a whole lotta millions of dollars.
(Being rather outspoken on FR, being a dark-corner iOS developer, and not being a marketer, you’ll understand if I decline to mention the app name.)
Defaults seem to vary, depending on how you invoke a search. I get Google when I search in Safari (no change upgrading thru 9.0.2), Siri prefers Bing, and I wouldn’t be surprised if some other angle invokes Yahoo.
Settings > Safari > Search Engine to change which one.
Seems like every month I am getting an email from some online vendor about how their data (and hence mine) got compromised. No platform is safe. We need to find a better, more secure approach to computing.
LOL! Nope, it was and is Drudge.
Malvertising on DrudgeReport - Cyphort
http://www.cyphort.com/drudgereport-malvertising/
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.