​YiSpecter malware uses technique that can bypass Apple App Store security checks

Researchers have uncovered a new malware threat affecting iOS devices which they say uses techniques that have slipped by Apple App Store's strict code review before.
Written by Liam Tung, Contributing Writer
YiSpecter is the first malware to exploit iOS' private APIs.
Image: Shutterstock
Researchers say newly-discovered malware, dubbed YiSpecter, can infect non-jailbroken as well as jailbroken iPhone and iPad devices, using a number of novel techniques.

The YiSpecter malware is unusual on a number of fronts, according to security firm Palo Alto Networks, chiefly because it is the first malware in the wild that exploits the iOS system's private APIs - the APIs in iOS that remain undocumented by Apple, possibly because they're not ready for wider use.

What's bad about this particular behaviour is that researchers have previously found apps that abuse private APIs on the App Store, meaning that attackers could look to these to target iPhone and iPad owners who only install apps from the App Store.

According to Palo Alto Networks, there were 100 apps in Apple's App Store that had abused private APIs and bypassed Apple's notoriously strict code review.

"What that means is the attacking technique of abusing private APIs can also be used separately and can affect all normal iOS users who only download apps from the App Store," wrote Palo Alto researcher Claud Xiao.

Fortunately in this instance, the attackers were not using Apple's App Store to distribute the malware, but instead relied on enterprise certificates as a side channel to install malware.

The discovery of YiSpecter follows the recent finding that over 4,000 apps laced with the XcodeGhost malware had leaked into the App Store. In that incident the developers of legitimate third-party apps in China, such as TenCent's WeChat app, had uploaded apps to the App Store after using tainted copies of Apple's developer toolset Xcode.

Victim reports suggest YiSpecter gains broad powers once installed on an iOS device, be it jailbroken or non-jailbroken.

These include the ability to download, install, and launch other iOS apps, swap out existing apps for those it downloads, hijacking other apps to display ads, and changing Safari's default search engine.

It can also tamper with Safari bookmarks and opened pages, and upload device information to the attacker's server.

Though both XcodeGhost and YiSpecter affect non-jailbroken iOS devices and do exhibit some technical similarities, Palo Alto Networks researchers believe the attacks are not related.

"We believe that YiSpecter and XcodeGhost were developed by different attackers and there is no evidence of cooperation between the two developers so far," noted Xiao.

As Palo Alto highlights, YiSpecter also shares traits with the WireLurker malware, which was discovered last year and also abused enterprise certificates to infect non-jailbroken iOS devices.

YiSpecter however brings to life the use of private APIs to implement sensitive functionalities in iOS, such as hiding icons, which was previously the domain of academic discussions.

"YiSpecter is the first real-world iOS malware that combines these two attack techniques and causes harm to a wider range of users. It pushes the line barrier of iOS security back another step," Xiao noted.

What the YiSpecter malware does not show however is that Apple's walled garden approach is broken, according to Trey Ford, global security strategist at Rapid7.

"Attackers know that focusing on edge cases, specifically exceptions like the "in-house distribution" workflow using enterprise certificates, provide the most likely path to deployment," said Trey.

"The private API's you will hear about that are allowing attackers to pull tricks, like hiding icons and replace applications, will not be made available via the App Store, which is what generally motivates attackers to find other distribution channels," Ford added.

According to Palo Alto, YiSpecter began to spread in the wild from at least November 2014, typically carrying a UI and functionality that enabled watching free porn videos online.

The two primary YiSpecter apps in the wild are HYQvod and DaPian, according to Palo Alto Networks, and these will install the main malicious component of YiSpecter known as Nolcon, which enables functionality such as changing Safari configurations and injecting ads.

Researchers at Chinese software firms Qihoo 360 and Cheetah Mobile earlier this year dug into a piece of iOS malware they named the Lingdun worm. However, Palo Alto says they missed or failed to disclose many more malicious functionalities that it has now identified as being part of YiSpecter.

YiSpecter also presents a number of new ways to attack jailbroken and non-jail phones iOS devices, including a suggestion from Palo Alto Networks that Chinese ISPs were involved in spreading the malware by hijacking users' internet traffic and inserting pop-up dialogue boxes when users visited a known news website.

"Some non-jailbroken iPhone users tried to clear cookies, reset iOS, change their iCloud accounts, and block pop-ups in Safari, but these operations didn't resolve the problem. However, if they used a third-party mobile browser with built-in proxy functionality to access the same webpage, the advertisements disappeared. One user even called his ISP's service phone number to complain and the problem was resolved - these advertisements never appeared again," Xiao explained.

"Based on this information, we believe that the ISP's traffic hijacking was used to spread the malware in these cases, and not a malicious third party."

The Lingdun worm was also used to distribute YiSpecter while a number of YiSpecter apps were published on underground app distribution websites, probably aimed at jailbroken devices, as well as social media and other community forums.

Read more

Editorial standards