Detecting and Removing Apple iOS YiSpecter Malware

Early this month news of a new malware threat for Apple iOS devices (iPhone and iPad) began to circulate. This threat has been named YiSpecter by Palo Alto Networks.

This threat has been primarily seen in East Asia, particularly in China and Taiwan. However the method of infection and it’s effects could easily be used by other threats in the future and thus Apple iOS users should take the appropriate precautions which I will discuss below.

Why Should This Threat Be Considered Important?
This threat is distributed from a number of different places (my thanks to Symantec for the full list of where this threat originates from):

  • Hijacked Internet Service Provider (ISP) Traffic causing websites to redirect to another page where the threat is downloaded
  • Forums
  • Social media
  • Alternative App Stores

The threat allows an adversary to perform a range of actions of their choice namely by first installing a backdoor (defined) and installing adware (defined here and here). The backdoor provides the malware authors with the following capabilities:

  • To download and install fraudulent apps (that appear to be legitimate iOS system apps)
  • Change Apple Safari bookmarks to all point to a link as specified by the command and control server (see Aside below for a definition) of this malware.
  • Uninstalling apps
  • Displaying adverts within installed apps
  • Change your default search engine
  • Steal information about you

This malware can infect both jailbroken (defined) and non-jailbroken Apple devices. This is possible since it makes uses of a legitimate means of app installation normally used by large corporations to allow the installation of customized corporate apps by their employees that are not otherwise available in the official Apple App Store. Such apps are not checked by Apple and can thus have the potential to incorporate malicious functionality (that would otherwise be blocked/not allowed by Apple).

Through the malware’s use of private APIs (Application Programming Interface)(defined) the malware can install malicious apps of it’s choice without notifying the user. Private APIs are a means of using functions within Apple iOS that Apple has not publically document since such functions are not considered stable namely that these functions are not guaranteed to be still present in future releases of the iPhone SDK or that such functions may work slightly differently than before.

These malicious apps can replace legitimate apps with malicious versions of the same name (by installing the legitimate apps). These private APIs are also used to show adverts within apps not known to the malware. Finally such private APIs are used to gather a list of the installed apps on your phone.

How Can I Protect Myself From This Threat?
If you suspect that your iPhone is infected with this malware e.g. you have seen full screen adverts when using apps on your phone, please follow the steps provided at the end of this Palo Alto Networks blog post to manually remove this threat.

As mentioned by Palo Alto Networks the most effective means of avoiding being infected by this threat is to only download apps from the official Apple App Store and not to trust unknown app developers. However they also acknowledge that this will prevents most infections (from similar threats) but not all.

In addition, Apple has confirmed that Apple iPhone users with iOS version 8.4 and later are not vulnerable to this threat. However it would still be recommended to use the most recent iOS update to benefit from the security improvements that it includes. iOS 9.0 and later will also make the installation of this malware a more deliberate action on your part and thus you are less likely to install the malware inadvertently. This change involves manually setting a related provisioning profile to “trusted” in the Settings menu before you can install enterprise/corporate provisioned apps rather than simply choosing “OK” when you are about to launch the app. The latest iOS at the time of writing is 9.0.2.

I hope that the above information and suggestions are useful in removing this threat if you have been affected by it and in preventing this threat from being installed on your Apple device in the first instance.

Thank you.

What is a command and control server?

When malware can be controlled by it’s author remotely that control is usually carried out using a server.

The command and control server (sometimes shortened to the “C2” server) allows the malware author to administer the devices under their control in a convenient manner. This control can include issuing commands to multiple devices to carry out an action at a desired time. Examples would be changing the type of data being collected by the malware (if the malware has this capability), requesting the malware to send all of it’s collected data back to the server for later review, uninstalling the malware and updating the malware to provide it with more capabilities of the author’s choice.

Command and control servers are usually separate to the devices they control. The servers communicate with the controlled device using a customized protocol.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.