Posted on 10/05/2015 11:30:57 AM PDT by Swordmaker
World where only jailbroken iThings were vulnerable is 'thing of the past'
The first iOS malware capable of attacking both non-jailbroken and jailbroken devices has surfaced online.
The mobile malware nasty - YiSpecter - hooks into private APIs in the iOS system to implement malicious actions has been in the wild for at least 10 months, mostly in China and Taiwan, since November 2014 if not earlier.
YiSpecter uses a battery of unusual tricks to spread itself. Distribution tactics include hijacking of traffic from nationwide ISPs, a worm on Windows, and an offline app installation and a community promotion. Initially the malware spread by posing as a “private version” or “version 5.0” of a famous but discontinued media player QVOD that offered the ability to watch porn videos online. Spreading tactics have evolved towards greater sophistication and diversity.
YiSpecter consists of four different components that are signed with enterprise certificates, according to security researchers at Palo Alto Networks, who add that the malware uses a variety of tricks to hide its presence on compromised systems, such as the use of the same name and logos as system apps and hiding their icons from iOS’s SpringBoard, which prevents the user from finding and deleting them. Once installed the malware mounts a variety of cybercrime scams, as detailed in a blog post by Palo Alto Networks.
On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 [command and control] server.
Whether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed. Experience from victims suggests that even if you manually delete the malware, it will automatically re-appear. Manually removing YiSpecter is tricky but possible, according to Palo Alto, which has published some instructions.
iOS had remained (almost) malware-free for years. However YiSpecter is the latest of a relatively small but growing collection of malware families to target iOS devices. WireLurker previously demonstrated the ability to infected non-jailbroken iOS devices by abusing enterprise certificates. Academic researchers have discussed how private APIs can be used to implement sensitive functionalities in iOS. YiSpecter is the first real world iOS malware that combines these two attack techniques, according to Palo Alto.
Palo Alto Networks has released IPS (intrusion prevention system) and DNS signatures to block YiSpecter’s malicious traffic. Apple has also been notified about the outbreak.
Last month Palo alto warned of an OS X and iOS malware named XcodeGhost. Developers who relied on this malicious version of Apple’s Xcode developer tool produced apps with a built-in backdoor. Again the issue was largely confined to China but security researchers reckon the two problems are NOT related.
“While YiSpecter and XcodeGhost both attacked non-jailbroken iOS devices, they are not related to each other,” Palo Alto said. “We believe that YiSpecter and XcodeGhost were developed by different attackers and there is no evidence of cooperation between the two developers so far.”
If anything, YiSpecter poses a greater risk to iPhone and iPad (fondleslab) security.
“The world where only jailbroken iOS devices were threatened by malware is a thing of the past,” Palo Alto concludes. “WireLurker proved that non-jailbroken iOS devices can also be infected through abuse of the enterprise distribution mechanism. YiSpecter further shows us that this technique is being used to infect many iOS devices in the wild.”
“The key techniques deployed in YiSpecter are bypassing App Store reviews using enterprise distribution and abusing iOS private APIs to perform sensitive operations,” it adds. ®
Ah, no.
I have had my Safari screen hijacked and move to a different web page on my brand new 6s Plus.
Thanks to dayglored for the heads up. . .
If you want on or off the Mac Ping List, Freepmail me.
What page?
DrudgeReport.com does that sometimes, serving ads which abuse web page redirection. That’s not an iOS flaw, it’s a web page deliberately (if annoyingly) abusing sensible browser capabilities.
The lead article is something far more insidious, more akin to someone taking over your finances than TPing your front bushes.
but these things are made in China . Have you read about the weird software they put on the New Lenovo
Your informative posts are greatly appreciated.
Been rethinking position that Android is superior to CrApple products lately -
Concede that Android manufacturers, carriers, App vendors and users have a lot of ongoing experience addressing vulnerability management on an insecure platform.
Practice does not appear to make perfect.
/s
Damn two year contract, $350 early termination penalty..
iPhone has a sphincter issue?
Hmmm... could be the Drudge redirector. Happened twice to the same page, a page related to (not the same) as I had previously visited. Weird. I had to click on that page and then close it out. Never had that happen on any phone before. Then I started searching for malware software, but haven’t yet added any because it hasn’t happened in a couple of days, although I do harbor concern that my keystrokes are being registered somewhere (yeah, I am paranoid, I guess).
Apple has complete control of all software on all Apple products. No one else can add software without Apple's approval. . . To do so would cause the assembler to lose a multi-billion dollar contract.
Ad links can open new tabs already. . . so I am not certain that Obadiah's problem is at all related to this malware. Mostly what this is talking about is hijacking the search engine. I am still waiting to learn what page got opened. Obadiah?
That's what happened. That's an HTML5 function which can be controlled by an ad. Reprehensible practice but not unexpected. From what I have read, to get infected with this, you actually have to download an out of app store App from an unauthorized store or website. This happens all the time in China. . . as they use the ability of the iPhone to have Enterprise Certificates permission to load Apps, which is intended to allow businesses to update their employees' iPhones with their own proprietary software. This was promoted by third-party App stores in China to sell unauthorized Apps outside of the curated Apple store. . .
I think these unauthorized stores are where this is coming from and why it has not spread beyond China and Taiwan.
Thanks for your support. . . such posts as yours inoculate me against a hundred anti-Apple hate Brigade posts. I appreciate you posting your thanks.
Cool. Many thanks.
Apple now allows ad blockers on iOS devices. . . that’s what I would be looking for instead of an anti-virus/malware app. Run that to block even the loading of the ads.
Let's hope that this piece of malware doesn't live up to its hype. And that Apple is able to migitate the threat appropriately.
Yeah. And this article is long on buzzwords and tech terms and short on real details and information.
I’m fairly certain that this has happened to me on my iPad.
I'm not certain Apple needs to. . . This is basically the same thing as was reported last year in China about side-loading apps from third-party stores using Enterprise Authority Certificates which are intended to allow businesses to managed their proprietary iOS software they've installed on employees' iPhones and iPads. Three-quarters of the apps sold that way had some kind of malware hidden in them. This is just one more of those that's persistent. The user still has to go an un-official app source and download the malware loaded app. Not a smart thing to do.
Yeah, I don’t go to Drudge much on my iOS devices nowadays. Too long to load, too many aggressive ads.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.