Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » YiSpecter iOS malware

YiSpecter iOS malware

by Nikola Strahija on October 5th, 2015 The first iOS malware capable of infecting stock and jailbroken iOS devices has been identified. It's target are users running iOS 8.


For at least 10 months, mostly in China and Taiwan, YiSpecter has been running in the wild by connecting to private APIs in iOS 8 to perform malicious actions. The malware uses a wide range of attacks to spread itself. Initially the malware spread by promoting itself as a "private version" or "version 5.0" of the popular QVOD app which was discontinued, but grew to distribution tactics such as hijacking traffic, injection by the Windows Lingdun worm, an offline app installation and community promotion (forums, social networks, etc.).

According to security researchers at Palo Alto Networks, YiSpecter infection consists of four different components that are signed with enterprise certificates: various main apps and and three different malicious apps installed by them.

The main apps identified thus far are: HYQvod (bundle id: weiying.Wvod) and DaPian (bundle id: weiying.DaPian). The three malicious apps installed by the malware are NoIcon, ADPage and NoIconUpdate.

NoIcon
NoIcon (bundle id: com.weiying.hiddenIconLaunch) is the main malicious component of YiSpecter. It takes the following actions on an infected device:

  • connects to the command and control server
  • uploads device identity information
  • fetches and executes remote commands
  • changes default Safari configuration
  • silently installs additional apps "ADPage" and "NoIconUpdate"
  • monitors other installed applications and hijacks their launch routine to use "ADPage" to display advertisements


ADPage
ADPage (bundle id: com.weiying.ad) displays advertisements when after NoIcon hijacks legitimate apps

NoIconUpdate
NoIconUpdate (bundle id: com.weiying.noiconupdate) periodically checks for other components' existence, connects with the command and control server to report its installation information, checks for updated versions of the malware and installs them.

These malicious apps were signed with three iOS enterprise certificates issued by Apple which allows them to be installed as enterprise apps on non-jailbroken iOS devices. While the main apps used a certificate for "Changzhou Wangyi Information Technology Co., Ltd." and "Baiwochuangxiang Technology Co., Ltd.", the three malicious components all used the same certificate belonging to "Beijing Yingmob Interaction Technology co, Ltd".
Using this kind of distribution the app can bypass Apple's strict code review procedures and invoke private iOS APIs to perform sensitive operations.

The disadvantage is that by using this method compared to the official App Store the user needs to confirm installation through a dialog box.
iOS displays a dialog the first time a user opens an enterprise-signed app

Most iOS users simply click continue, unaware of the repercussions.

In iOS 9 enterprise certificate security has been improved by making the user manually set a provisioning profile as "trusted" before they can install Enterprise provisioned apps.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »