A new and unusual type of malware called YiSpecter that targets iOS devices has been discovered by a cyber-security research firm, and it could prove to be a huge problem for all users. One of the things that makes YiSpecter so unusual and dangerous is that it targets both jailbroken and non-jailbroken devices. The other is that it abuses private APIs.
YiSpecter uses private APIs
Palo Alto Networks uncovered the dangerous malware and called it YiSpecter. According to Claud Xiao, the malware is the first one they’ve “seen in the wild” that actually abuses private APIs in iOS to “implement malicious functionalities.” It’s also unusual in the way is hijacks traffic from internet service providers, a Windows SNS worm, offline app installation and community promotion.
The firm reports that many iOS users have reported that their devices were infected with the malware to Apple, but it has been loose for more than 10 months and the company has yet to fix it. Palo Alto also states that only one of the 57 security vendors in VirusTotal has been able to detect YiSpecter.
Thus far, the malware has only been impacting Taiwanese and mainland Chinese iOS users.
How YiSpecter works
According to Palo Alto Networks, there are four components signed with enterprise certificates that make up YiSpecter. Through the abuse of private APIs, the four components are able to “download and then install each other from a command and control (C2) server. Three of the components hide their icons from SpringBoard on iOS, which keeps users from being able to see and delete them. The components also use the same logos and names of iOS system apps to trick power users.
After infecting an iOS device, YiSpecter downloads, installs and launches random apps and replaces existing apps with malicious apps it downloads. The malware also hijacks the execution of other apps to show ads, in some cases forcing those ads to be full-screen. It can also change the default search engine, bookmarks, and pages that have been opened on Safari and upload information from the infected device to the C2 server.
Manually deleting the malware doesn’t work because it appears automatically. Also while using third-party tools, users of an infected device will see some odd extra system apps. Also sometimes users will open an app they use regularly and see an ad that’s full screen.
Private APIs a major vulnerability for Apple devices
Palo Alto Networks also warns iOS users that abuse of private APIs is getting to be a bigger and bigger problem, although YiSpecter is the first malware that has combined two major attack techniques of abusing enterprise certificates and private APIs.
The firm also states that more than 100 App Store apps have been found to be abusing private APIs and bypassing Apple’s review of code. In other words, hackers can abuse private APIs apart from malware to affect every iOS user who just downloads app from the App Store.