Solutions

[Chinese Version] YiSpecter: Another iOS Malware That Attacks Non-jailbroken Apple iOS Devices

3周前,帕洛阿尔托单位 42 发布 IOS XCodeGhost 恶意软件已经感染苹果商店内的39个软件 现在他们发布了新的恶意软件 YiSpecter感染苹果越狱iPhone 和 iPad。 YiSpecter 使用许多攻击媒介实现黑客攻击。最大的区别是它使用企业证书私人API

级别复杂通常是先进持久性威胁(APT),而简单感染有关。由于苹果商店非常严格检查他们级别成熟会感染非越狱设备。

不是这个公司YingMob Interaction)的科技真的很好。因为这5年来已经有很多这类型的恶意软件被广泛使用。

总之YiSpecter 主要针对中国台湾的 iPhone iPad 用户。也许黑客只针对通过简化中文用户。YiSpecter 开始是受感染网站,Windows 的腾讯 QQ 聊天软件,论坛内发出的HTML文件,目标是在 IOS 屏幕显示色情网址

IOS 8 设备如果用户单击对话框中让网址下载应用程序自动安装,因为包含一个偷来,有效企业证书 IOS 9,必须切换权限安装企业应用程序所以用户受到保护。
然而如果您已经 IOS 8 升级可能仍然感染。因为 YiSpecter 自我保护可以传播感染作为一个僵尸网络一部分,而且它有隐藏的功能

如果知道更多关于YiSpecter详情,请参见篇文章结尾。

要去毒按照说明:
  1. 在 iOS, 设置 ==》 通用 ==》描述文件,删除所有未知不受信任配置文件;
  2. 删除这些软件,“情涩播放器”,“快播私密版” 或 “快播0”;
  3. 使用任何第三方 iOS 管理工具,例如 iFunBox Windows 或者 Mac OS X,连接iPhone iPad注意苹果 iTunes 不能使用);
  4. 管理工具检查所有已安装iOS 应用程序;如果一些应用程序名字比如手机, 天气, 游戏中心, 存折, 笔记 Cydia,请把它们删除(请注意步骤不会影响原始系统应用程序只是伪造删除恶意软件)。

资料来源:
YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs

Solutions

YiSpecter: Another iOS Malware That Attacks Non-jailbroken Apple iOS Devices

It’s less than 3 weeks since Unit 42 from Palo Alto published the IOS XCodeGhost malware that has infected 39 apps in Apple App Store. And they’re at it again! This time Unit 42 published findings on the malware YiSpecter, which uses many attack vectors with the key differentiator being Enterprise certificates & Private API to implement the hack.

This level of sophisticated is usually associated with Advanced Persistent Threat (APT)rather than a simple infection but since Apple Store has very strict checks, I guess they have to go to this level of sophistication in order to infect non-jailbroken devices.

Now I’m not saying that this malware company (YingMob Interaction) is really good, but they did “go the extra mile” to ensure a successful widespread infection by borrowing APT techniques published over the past 5 years.

In summary, YiSpecter mainly targets iPhone & iPad users in China & Taiwan, so maybe the hackers only target Simplified Chinese language users. The infection starts from infected websites, Windows-based IM platform like Tencent’s QQ Chat and forums where malicious HTML files are posted & displayed on the target IOS screen.

On IOS 8 devices, if the user click on dialog box to allow downloading the app, it is automatically installed because it contain a stolen but valid Enterprise certificate. On IOS 9, you have to switch on the permission to install Enterprise app, so new users are protected. However, if you’ve upgraded from IOS 8, it’s likely you’re still infected because YiSpecter is self-preserving, can spread the infection as part of a Botnet and is hidden from the user.

I wouldn’t go into the mechanism of the infection because it’s too technical for average users. You can find the link to the original Palo Alto notice at the end of the article.

To Clean the infection, you have to do the below:

  1. In iOS, go to Settings -> General -> Profiles to remove all unknown or untrusted profiles;
  2. If there’s any installed apps named “情涩播放器”, “快播私密版” or “快播0”, delete them;
  3. Use any third-party iOS management tool (e.g., iFunBox, though note that Apple’s iTunes doesn’t work in this step) on Windows or Mac OS X, to connect with your iPhone or iPad;
  4. In the management tool, check all installed iOS apps; if there’re some apps have name like Phone, Weather, Game Center, Passbook, Notes, or Cydia, delete them. (Note that this step won’t affect original system apps but just delete faked malware.)

Source:
YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs

Solutions

[Chinese version] Malware XcodeGhost Infects 39 iOS Apps, Including WeChat, Affecting Hundreds of Millions of Users

Palo Alto单位 42 发现恶意软件 XcodeGhost 感染 39 iOS 应用程序包括微信影响以亿计用户

现在很多受影响公司更新他们苹果官方集成设计环境重新发布他们应用程序,请更新受影响软件如果无法更新应用程序,还更好暂时删除它。

务必更改应用程序密码 AppleID 密码因为这些密码有可能已经黑客骗走了

以下是Palo Alto & FOX-IT所公布的清单

网易云音乐  2.8.3
微信  6.2.5
讯飞输入法  5.1.1463
滴滴出行  4.0.0.6-4.0.0.0
滴滴打车  3.9.7.1 – 3.9.7
铁路12306  4.5
下厨房  4.3.2
51卡保险箱  5.0.1
中信银行动卡空间  3.3.12
中国联通手机营业厅  3.2
高德地图  7.3.8
简书  2.9.1
开眼  1.8.0
Lifesmart  1.0.44
网易公开课  4.2.8
马拉马拉  1.1.0
药给力  1.12.1
喜马拉雅  4.3.8
口袋记账  1.6.0
同花顺  9.60.01
快速问医生  7.73
懒人周末
微博相机
豆瓣阅读
CamScanner
CamCard
SegmentFault  2.8
股公开课
股市热点
新三板
滴滴司机
OPlayer  2.1.05
电话归属地助手  3.6.5
愤怒的小鸟2 2.1.1
夫妻床头话  1.2
穷游  6.6.6
我叫MT  5.0.1
我叫MT 2  1.10.5
自由之战  1.1.0
Mercury
WinZip
Musical.ly
PDFReader
guaji_gangtai en
Perfect365
网易云音乐
PDFReader Free
WhiteTile
IHexin
WinZip Standard
MoreLikers2
CamScanner Lite
MobileTicket
iVMS-4500
OPlayer Lite
QYER
golfsense
同花顺
ting
installer
下厨房
golfsensehd
Wallpapers10000
CSMBP-AppStore
礼包助手
MSL108
ChinaUnicom3.x
TinyDeal.com
snapgrab copy
iOBD2
PocketScanner
CuteCUT
AmHexinForPad
SuperJewelsQuest2
air2
InstaFollower
CamScanner Pro
baba
WeLoop
DataMonitor
爱推
MSL070
nice dev
immtdchs
OPlayer
FlappyCircle
高德地图
BiaoQingBao
SaveSnap
WeChat
Guitar Master
jin
WinZip Sector
Quick Save

Solutions

Malware XcodeGhost Infects 39 iOS Apps, Including WeChat, Affecting Hundreds of Millions of Users

Unit 42 finds that malware XcodeGhost infects 39 iOS apps, including WeChat, affecting hundreds of millions of users.

Update your software now as many of the affected developers have updated their official Apple Xcode IDE, which is NOT affected, and republished their apps. If you can’t update the app, it’s better to temporarily uninstall it.

Also make sure to change your app passwords and AppleID password as it’s likely being phished by hackers.

Here’s the list discovered by Palo Alto & FOX-IT.

网易云音乐  2.8.3
微信  6.2.5
讯飞输入法  5.1.1463
滴滴出行  4.0.0.6-4.0.0.0
滴滴打车  3.9.7.1 – 3.9.7
铁路12306  4.5
下厨房  4.3.2
51卡保险箱  5.0.1
中信银行动卡空间  3.3.12
中国联通手机营业厅  3.2
高德地图  7.3.8
简书  2.9.1
开眼  1.8.0
Lifesmart  1.0.44
网易公开课  4.2.8
马拉马拉  1.1.0
药给力  1.12.1
喜马拉雅  4.3.8
口袋记账  1.6.0
同花顺  9.60.01
快速问医生  7.73
懒人周末
微博相机
豆瓣阅读
CamScanner
CamCard
SegmentFault  2.8
股公开课
股市热点
新三板
滴滴司机
OPlayer  2.1.05
电话归属地助手  3.6.5
愤怒的小鸟2 2.1.1
夫妻床头话  1.2
穷游  6.6.6
我叫MT  5.0.1
我叫MT 2  1.10.5
自由之战  1.1.0
Mercury
WinZip
Musical.ly
PDFReader
guaji_gangtai en
Perfect365
网易云音乐
PDFReader Free
WhiteTile
IHexin
WinZip Standard
MoreLikers2
CamScanner Lite
MobileTicket
iVMS-4500
OPlayer Lite
QYER
golfsense
同花顺
ting
installer
下厨房
golfsensehd
Wallpapers10000
CSMBP-AppStore
礼包助手
MSL108
ChinaUnicom3.x
TinyDeal.com
snapgrab copy
iOBD2
PocketScanner
CuteCUT
AmHexinForPad
SuperJewelsQuest2
air2
InstaFollower
CamScanner Pro
baba
WeLoop
DataMonitor
爱推
MSL070
nice dev
immtdchs
OPlayer
FlappyCircle
高德地图
BiaoQingBao
SaveSnap
WeChat
Guitar Master
jin
WinZip Sector
Quick Save

Source: Malware XcodeGhost Infects 39 iOS Apps, Including WeChat, Affecting Hundreds of Millions of Users