Palo Alto Networks, a cyber security firm has identified a new malware in iOS devices called YiSpecter. This malware infects the devices by misusing the private APIs. It has mostly affected the users in Taiwan and China.
Apple has updated and confirmed to TechCrunch regarding the new malware YiSpecter that cannot cause issues in iOS 9. This is the reason why it’s always recommended to stay updated to the latest versions of iOS. For instance, YiSpecter can infect only versions of iOS 8.3 and older, and can affect only if users prefer downloading the apps from untrusted sources outside the App store. Apple has taken one more step in protecting the devices; it has canceled the certificates used for the apps distributing this heavy malware.
According to the statement issued by Apple:
“This malware only affects users working on older versions of iOS and have the habit of downloading apps from untrusted sources. This malware was specifically addressed in iOS 8.4 and we have also blocked the identified apps distributing this malware. We advise our customers to stay in touch with the latest versions of iOS in order to get the latest security updates. We encourage our valued customers to only download app from trusted sources like the App store and take care of any warnings that comes up while downloading the apps.”
YiSpecter is very fast as it makes a lot of changes on infecting a phone. It can easily install unwanted apps and replace the trusted apps with the downloaded ones. It can also change bookmarks, display full- screen advertisements forcefully, change search engines into Safari and send all the user information to its server from where it originated. Even if the users manually remove it from their iOS devices, it can reappear again.
Palo Alto Networks said, “Among the iOS malware found so far, YiSpecter is unusual as it abuses the private APIs allowing its four components, which are signed with enterprise certificate in order to appear trusted, to download all four from their centralized server.” Out of the four, three components can hide and disguise their icons with the logos and icons of other apps in order to stay safe from being detected. This malware has been infecting devices for over 10 months, but only one (which is VirusTotal) out of 57 security vendors is able to detect it.
Claud Xiao, a security researcher from Palo Alto Networks wrote in a post that abusing enterprise certificates and private APIs will not only lead to infect more devices but it also forces the security line barrier one step back.
The malware YiSpecter first spread by disguising as an app which allows users to view free porn. After this, it started infecting more devices through hijacked traffic coming from internet service providers, online communities where users get to install third party apps in exchange of promotion fees, and a Windows worm which first attacked QQ.
Another malware known as XcodeGhost has found to infect 40 apps in Chinese app store last month. There is no relation found between YiSpecter and XcodeGhost yet.
