Security researchers at Palo Alto Networks have uncovered a unique form of Apple malware, coined YiSpecter, that can infect non-jailbroken devices by abusing private APIs in iOS to install malicious applications.
Once injected into a victim’s device, YiSpecter is able to download, install and launch arbitrary iOS applications, replace existing apps, display adware, change Safari’s default search engine and upload device information to a command and control server.
Furthermore, the research indicates that the malware can spread regardless of whether the Apple device is jailbroken, a process that opens the iOS system to allow third-party applications and software to run on the operating system.
The malware, which according to Palo Alto primarily affects users in China and Taiwan, has been in the wild for roughly 10 months. The research team reported that Apple has been notified about the problem.
V3 contacted Apple for further comment on YiSpecter but had recieved no reply at the time of publication.
Palo Alto security researcher Claud Xiao revealed that the malware spreads via unusual means, including the “hijacking of traffic from nationwide ISPs, an SNS worm on Windows, and an offline app installation and community promotion”.
“YiSpecter consists of four different components that are signed with enterprise certificates. By abusing private APIs, these components download and install each other from a command and control server,” he said.
“Three of the malicious components use tricks to hide their icons from iOS’s SpringBoard, which prevents the user finding and deleting them. The components also use the same name and logos of system apps to trick iOS power users.”
The malware, which was initially coded into a pornography application, has many nasty characteristics such as automatically reappearing if a user attempts to delete it, installing a variety of unauthorised ‘system apps’ and opening full screen advertisements on a victim’s device.
The days of Apple devices being free from attack are “a thing of the past”, according to Xiao.
Last month Palo Alto unveiled XcodeGhost, a form of Apple malware, again originating from China, which affected a legitimate developer code known as Xcode.
XcodeGhost was successfully injected into a variety of iOS applications on the official App Store, but the team does not believe the attacks are related.
“We believe that YiSpecter and XcodeGhost were developed by different attackers and there is no evidence of cooperation between the two developers so far,” wrote Xiao.
Greg Day, chief security officer at Palo Alto, told V3 that the evolution of Apple iOS malware was expected.
“Most often what we see is that organised cyber criminals don’t give up easily. When you identify one method and one technique they will generally try to adapt and evolve,” he said.
When asked why cyber criminals are targeting Apple devices such as the iPhone and iPad, Day indicated that these devices are increasingly used to hold sensitive and financial data.
“There’s surely got to be a tipping point as we start to use these services and more of our money is exchanged through smart devices and touchless payment. The criminal is going to follow us there because that’s where the revenue stream is moving to,” he told V3.
“The simple reality is there is a significant supply chain ecosystem that is involved in the whole process. My expectation is that these supply chains seem to be getting ever larger and more complex, especially when we start to think about mobile and touchless payments.
“Nothing is invaluable and the more complexity we add into that the more opportunity there is for the attackers to find weak entry points.”
Alongside the clean-up of the official App Store, Apple recently released over 100 security fixes, patching numerous vulnerabilities in El Capitan, iOS and Safari.