YiSpecter iOS Malware can infect any Apple iOS device

Pierluigi Paganini October 05, 2015

Experts at Paloalto Networks discovered a strain of Apple iOS malware dubbed YiSpecter that is able to infect both jailbroken and non-jailbroken devices.

The recent XCodeGhost attack suffered by Apple demonstrated that nobody is completely secure from malware-based attacks. Now security researchers at PaloAlto Networks have discovered a new malware dubbed YiSpecter that they sustain is able to compromise both jailbroken as well as non-jailbroken iOS devices.

YiSpecter has been abusing private APIs and enterprise certificates to infect any iOs device.

“Whether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed,” states the blog post published by PaloAlto Network. “Even if you manually delete, it will automatically re-appear.”

The new YiSpecter threat targets Apple’s iOS users in China and Taiwan, but at the time I’m writing there are no news on the number of infected devices.

According to researchers at PaloAlto Networks, YiSpecter malware has been targeting Apple’s iOS devices for over 10 months.  YiSpecter was first spread by disguising as an app that lets users watch free adult content. The app has been proposed as a private version of the famous media player “QVOD,” which is a popular video streaming app developed by Kuaibo to share porn videos.

YiSpecter1 500x888

“YiSpecter began to spread in the wild in November 2014, if not earlier. The main iOS apps of this malware have user interface and functionality that enable the watching of free porn videos online, and were advertised as “private version” or “version 5.0” of a famous media player “QVOD”. QVOD was developed by Kuaibo(快播) and became popular in China by users who share porn videos.” states the report.

Once infected the iOS mobile device is it able to perform the following actions:

Dubbed YiSpecter, the malware infects iOS devices and once infected, YiSpecter can:

  • Install unwanted apps
  • Replace legitimate apps with ones it has downloaded
  • Force apps to display unwanted, full-screen ads
  • Change bookmarks as well as default search engines in Safari
  • Send user information back to its server
  • Automatically reappears even after a user manually deletes it from the iOS device

“YiSpecter consists of four different components that are signed with enterprise certificates. By abusing private APIs, these components download and install each other from a command and control (C2) server. Three of the malicious components use tricks to hide their icons from iOS’s SpringBoard, which prevents the user from finding and deleting them. The components also use the same name and logos of system apps to trick iOS power users.”

 The experts observed different methods implemented by the malware to infect iOS devices, including hijacked Internet traffic from ISPs, a Windows worm that first attacked the Tencent’s instant messaging service QQ, through online communities where people install third-party applications in exchange for promotion fees from app developers.

How to Remove YiSpecter from Your iOS Devices?

Experts at PaloAlto network provided the following instructions to remove YiSpecter from the infected device:
  1. In iOS, go to Settings -> General -> Profiles to remove all unknown or untrusted profiles;
  2. If there’s any installed apps named “情涩播放器”, “快播私密版” or “快播0”, delete them;
  3. Use any third-party iOS management tool (e.g., iFunBox, though note that Apple’s iTunes doesn’t work in this step) on Windows or Mac OS X, to connect with your iPhone or iPad;
  4. In the management tool, check all installed iOS apps; if there’re some apps have name like Phone, Weather, Game Center, Passbook, Notes, or Cydia, delete them. (Note that this step won’t affect original system apps but just delete faked malware.)
Security experts from PaloAlto Networks have reported the security issue related to the YiSpecter malware to Apple, which is investigating it.

Pierluigi Paganini

(Security Affairs – YiSpecter , Apple iOS)



you might also like

leave a comment