iOS malware YiSpecter: NO iPHONE IS SAFE

The Register (UK) ^ | October 5, 2015 | by John Leyden

[Swordmaker]

As of now, this seems to be limited to China. . . and this comes from the same security company that reported XcodeGhost which has a tendency for hyperbole—for example claiming 4000 infected apps in the iOS ecosystem implying they were in the Apple App store, when the number in Apple's store was under 50 and the rest were in sources for jailbroken iOS devices. This time they are claiming that YiSpecter can infect un-Jailbroken iOS devices and may have been in the wild since November of 2014 without providing evidence of such a time frame especially considering they claim the infections are limited to China and Taiwan, which makes the claim doubtful given an almost one year in the wild claim. Were that true, such a potential malware would have a far greater spread to monetize its return. There'd be far more complaints given that its mode of operation such as search engine hijacking has an "in-your-face" obviousness red flag about it. There's something that smells about this. . . especially when the security firm that has discovered it is SELLING an app to protect against it. I am a bit skeptical.

[Obadiah]

As of now, this seems to be limited to China...

Ah, no.

I have had my Safari screen hijacked and move to a different web page on my brand new 6s Plus.

[Swordmaker]

YiSpecter: The first iOS malware capable of attacking both non-jailbroken and jailbroken devices has surfaced online. — Supposedly.

It appears it DOES have to be downloaded and installed by the user. . .

As of now, this seems to be limited to China. . . and this comes from the same security company that reported XcodeGhost which has a tendency for hyperbole—for example claiming 4000 infected apps in the iOS ecosystem implying they were in the Apple App store, when the number in Apple's store was under 50 and the rest were in sources for jailbroken iOS devices. This time they are claiming that YiSpecter can infect un-Jailbroken iOS devices and may have been in the wild since November of 2014 without providing evidence of such a time frame especially considering they claim the infections are limited to China and Taiwan, which makes the claim doubtful given an almost one year in the wild claim. Were that true, such a potential malware would have a far greater spread to monetize its return. There'd be far more complaints given that its mode of operation such as search engine hijacking has an "in-your-face" obviousness red flag about it. There's something that smells about this. . . especially when the security firm that has discovered it is SELLING an app to protect against it. I am a bit skeptical. PING!

Thanks to dayglored for the heads up. . .

Apple iOS malware Warning or Possible FUD
Ping!

The Latest Apple/Mac/iOS Pings can be found by searching Keyword “ApplePingList” on Freerepublic’s Search.

If you want on or off the Mac Ping List, Freepmail me.

[Swordmaker]

I have had my Safari screen hijacked and move to a different web page on my brand new 6s Plus.

What page?

[ctdonath2]

DrudgeReport.com does that sometimes, serving ads which abuse web page redirection. That’s not an iOS flaw, it’s a web page deliberately (if annoyingly) abusing sensible browser capabilities.

The lead article is something far more insidious, more akin to someone taking over your finances than TPing your front bushes.

[butlerweave]

but these things are made in China . Have you read about the weird software they put on the New Lenovo

[MarchonDC09122009]

Your informative posts are greatly appreciated.
Been rethinking position that Android is superior to CrApple products lately -

Concede that Android manufacturers, carriers, App vendors and users have a lot of ongoing experience addressing vulnerability management on an insecure platform.
Practice does not appear to make perfect.
/s
Damn two year contract, $350 early termination penalty..

[A CA Guy]

iPhone has a sphincter issue?

[Obadiah]

Hmmm... could be the Drudge redirector. Happened twice to the same page, a page related to (not the same) as I had previously visited. Weird. I had to click on that page and then close it out. Never had that happen on any phone before. Then I started searching for malware software, but haven’t yet added any because it hasn’t happened in a couple of days, although I do harbor concern that my keystrokes are being registered somewhere (yeah, I am paranoid, I guess).

[Swordmaker]

but these things are made in China . Have you read about the weird software they put on the New Lenovo

Apple has complete control of all software on all Apple products. No one else can add software without Apple's approval. . . To do so would cause the assembler to lose a multi-billion dollar contract.

Ad links can open new tabs already. . . so I am not certain that Obadiah's problem is at all related to this malware. Mostly what this is talking about is hijacking the search engine. I am still waiting to learn what page got opened. Obadiah?

[Swordmaker]

Hmmm... could be the Drudge redirector. Happened twice to the same page, a page related to (not the same) as I had previously visited. Weird. I had to click on that page and then close it out. Never had that happen on any phone before. Then I started searching for malware software, but haven’t yet added any because it hasn’t happened in a couple of days, although I do harbor concern that my keystrokes are being registered somewhere (yeah, I am paranoid, I guess).

That's what happened. That's an HTML5 function which can be controlled by an ad. Reprehensible practice but not unexpected. From what I have read, to get infected with this, you actually have to download an out of app store App from an unauthorized store or website. This happens all the time in China. . . as they use the ability of the iPhone to have Enterprise Certificates permission to load Apps, which is intended to allow businesses to update their employees' iPhones with their own proprietary software. This was promoted by third-party App stores in China to sell unauthorized Apps outside of the curated Apple store. . .

I think these unauthorized stores are where this is coming from and why it has not spread beyond China and Taiwan.

[Swordmaker]

Thanks for your support. . . such posts as yours inoculate me against a hundred anti-Apple hate Brigade posts. I appreciate you posting your thanks.

[Obadiah]

Cool. Many thanks.

[Swordmaker]

Apple now allows ad blockers on iOS devices. . . that’s what I would be looking for instead of an anti-virus/malware app. Run that to block even the loading of the ads.

[dayglored]

Don'tcha just love the pics The Register uses with their articles? They get a lot of mileage out of ol' "Psycho" Janet Leigh, the archtypal scary scream of horror...

Let's hope that this piece of malware doesn't live up to its hype. And that Apple is able to migitate the threat appropriately.

[TalonDJ]

Yeah. And this article is long on buzzwords and tech terms and short on real details and information.

[COUNTrecount]

I’m fairly certain that this has happened to me on my iPad.

[Swordmaker]

Let's hope that this piece of malware doesn't live up to its hype. And that Apple is able to migitate the threat appropriately.

I'm not certain Apple needs to. . . This is basically the same thing as was reported last year in China about side-loading apps from third-party stores using Enterprise Authority Certificates which are intended to allow businesses to managed their proprietary iOS software they've installed on employees' iPhones and iPads. Three-quarters of the apps sold that way had some kind of malware hidden in them. This is just one more of those that's persistent. The user still has to go an un-official app source and download the malware loaded app. Not a smart thing to do.

[aimhigh]

I’m fairly certain that this has happened to me on my iPad.<0>It's been driving me nuts for several days. I finally figured out it came from Drudge. If he's accepting that type of advertising, then he's dead to me.

[ctdonath2]

Yeah, I don’t go to Drudge much on my iOS devices nowadays. Too long to load, too many aggressive ads.