YiSpecter iOS Malware can infect any Apple iOS device

Experts at Paloalto Networks discovered a strain of Apple iOS malware dubbed YiSpecter that is able to infect both jailbroken and non-jailbroken devices.

The recent XCodeGhost attack suffered by Apple demonstrated that nobody is completely secure from malware-based attacks. Now security researchers at PaloAlto Networks have discovered a new malware dubbed YiSpecter that they sustain is able to compromise both jailbroken as well as non-jailbroken iOS devices.

YiSpecter has been abusing private APIs and enterprise certificates to infect any iOs device.

“Whether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed,” states the blog post published by PaloAlto Network. “Even if you manually delete, it will automatically re-appear.”

The new YiSpecter threat targets Apple’s iOS users in China and Taiwan, but at the time I’m writing there are no news on the number of infected devices.

According to researchers at PaloAlto Networks, YiSpecter malware has been targeting Apple’s iOS devices for over 10 months. YiSpecter was first spread by disguising as an app that lets users watch free adult content. The app has been proposed as a private version of the famous media player “QVOD,” which is a popular video streaming app developed by Kuaibo to share porn videos.

“YiSpecter began to spread in the wild in November 2014, if not earlier. The main iOS apps of this malware have user interface and functionality that enable the watching of free porn videos online, and were advertised as “private version” or “version 5.0” of a famous media player “QVOD”. QVOD was developed by Kuaibo(快播) and became popular in China by users who share porn videos.” states the report.

Once infected the iOS mobile device is it able to perform the following actions:

Dubbed YiSpecter, the malware infects iOS devices and once infected, YiSpecter can:

Install unwanted apps
Replace legitimate apps with ones it has downloaded
Force apps to display unwanted, full-screen ads
Change bookmarks as well as default search engines in Safari
Send user information back to its server
Automatically reappears even after a user manually deletes it from the iOS device

“YiSpecter consists of four different components that are signed with enterprise certificates. By abusing private APIs, these components download and install each other from a command and control (C2) server. Three of the malicious components use tricks to hide their icons from iOS’s SpringBoard, which prevents the user from finding and deleting them. The components also use the same name and logos of system apps to trick iOS power users.”

The experts observed different methods implemented by the malware to infect iOS devices, including hijacked Internet traffic from ISPs, a Windows worm that first attacked the Tencent’s instant messaging service QQ, through online communities where people install third-party applications in exchange for promotion fees from app developers.

How to Remove YiSpecter from Your iOS Devices?

Experts at PaloAlto network provided the following instructions to remove YiSpecter from the infected device:

In iOS, go to Settings -> General -> Profiles to remove all unknown or untrusted profiles;
If there’s any installed apps named “情涩播放器”, “快播私密版” or “快播0”, delete them;
Use any third-party iOS management tool (e.g., iFunBox, though note that Apple’s iTunes doesn’t work in this step) on Windows or Mac OS X, to connect with your iPhone or iPad;
In the management tool, check all installed iOS apps; if there’re some apps have name like Phone, Weather, Game Center, Passbook, Notes, or Cydia, delete them. (Note that this step won’t affect original system apps but just delete faked malware.)

Security experts from PaloAlto Networks have reported the security issue related to the YiSpecter malware to Apple, which is investigating it.

Pierluigi Paganini

(Security Affairs – YiSpecter , Apple iOS)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.