It’s less than 3 weeks since Unit 42 from Palo Alto published the IOS XCodeGhost malware that has infected 39 apps in Apple App Store. And they’re at it again! This time Unit 42 published findings on the malware YiSpecter, which uses many attack vectors with the key differentiator being Enterprise certificates & Private API to implement the hack.
This level of sophisticated is usually associated with Advanced Persistent Threat (APT)rather than a simple infection but since Apple Store has very strict checks, I guess they have to go to this level of sophistication in order to infect non-jailbroken devices.
Now I’m not saying that this malware company (YingMob Interaction) is really good, but they did “go the extra mile” to ensure a successful widespread infection by borrowing APT techniques published over the past 5 years.
In summary, YiSpecter mainly targets iPhone & iPad users in China & Taiwan, so maybe the hackers only target Simplified Chinese language users. The infection starts from infected websites, Windows-based IM platform like Tencent’s QQ Chat and forums where malicious HTML files are posted & displayed on the target IOS screen.
On IOS 8 devices, if the user click on dialog box to allow downloading the app, it is automatically installed because it contain a stolen but valid Enterprise certificate. On IOS 9, you have to switch on the permission to install Enterprise app, so new users are protected. However, if you’ve upgraded from IOS 8, it’s likely you’re still infected because YiSpecter is self-preserving, can spread the infection as part of a Botnet and is hidden from the user.
I wouldn’t go into the mechanism of the infection because it’s too technical for average users. You can find the link to the original Palo Alto notice at the end of the article.
To Clean the infection, you have to do the below:
- In iOS, go to Settings -> General -> Profiles to remove all unknown or untrusted profiles;
- If there’s any installed apps named “情涩播放器”, “快播私密版” or “快播0”, delete them;
- Use any third-party iOS management tool (e.g., iFunBox, though note that Apple’s iTunes doesn’t work in this step) on Windows or Mac OS X, to connect with your iPhone or iPad;
- In the management tool, check all installed iOS apps; if there’re some apps have name like Phone, Weather, Game Center, Passbook, Notes, or Cydia, delete them. (Note that this step won’t affect original system apps but just delete faked malware.)
YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs