YiSpecter iOS malware
by Nikola Strahija on October 5th, 2015 The first iOS malware capable of infecting stock and jailbroken iOS devices has been identified. It's target are users running iOS 8.
For at least 10 months, mostly in China and Taiwan, YiSpecter has been running in the wild by connecting to private APIs in iOS 8 to perform malicious actions. The malware uses a wide range of attacks to spread itself. Initially the malware spread by promoting itself as a "private version" or "version 5.0" of the popular QVOD app which was discontinued, but grew to distribution tactics such as hijacking traffic, injection by the Windows Lingdun worm, an offline app installation and community promotion (forums, social networks, etc.).
According to security researchers at Palo Alto Networks, YiSpecter infection consists of four different components that are signed with enterprise certificates: various main apps and and three different malicious apps installed by them.
The main apps identified thus far are: HYQvod (bundle id: weiying.Wvod) and DaPian (bundle id: weiying.DaPian). The three malicious apps installed by the malware are NoIcon, ADPage and NoIconUpdate.
NoIcon
NoIcon (bundle id: com.weiying.hiddenIconLaunch) is the main malicious component of YiSpecter. It takes the following actions on an infected device:
- connects to the command and control server
- uploads device identity information
- fetches and executes remote commands
- changes default Safari configuration
- silently installs additional apps "ADPage" and "NoIconUpdate"
- monitors other installed applications and hijacks their launch routine to use "ADPage" to display advertisements
ADPage
ADPage (bundle id: com.weiying.ad) displays advertisements when after NoIcon hijacks legitimate apps
NoIconUpdate
NoIconUpdate (bundle id: com.weiying.noiconupdate) periodically checks for other components' existence, connects with the command and control server to report its installation information, checks for updated versions of the malware and installs them.
These malicious apps were signed with three iOS enterprise certificates issued by Apple which allows them to be installed as enterprise apps on non-jailbroken iOS devices. While the main apps used a certificate for "Changzhou Wangyi Information Technology Co., Ltd." and "Baiwochuangxiang Technology Co., Ltd.", the three malicious components all used the same certificate belonging to "Beijing Yingmob Interaction Technology co, Ltd".
Using this kind of distribution the app can bypass Apple's strict code review procedures and invoke private iOS APIs to perform sensitive operations.
The disadvantage is that by using this method compared to the official App Store the user needs to confirm installation through a dialog box.
Most iOS users simply click continue, unaware of the repercussions.
In iOS 9 enterprise certificate security has been improved by making the user manually set a provisioning profile as "trusted" before they can install Enterprise provisioned apps.
