Advertising malware affects non-jailbroken iOS devices

“YiSpecter is infecting iOS devices belonging to Chinese and Taiwanese users, and is the first piece of malware that successfully targets both jailbroken and non-jailbroken devices, Palo Alto Networks researchers warn. What’s more, the techniques it uses for hiding are making it difficult to squash the infection.

Online advertisements are obviously a big business in China, as for the second time in less than a month, security researchers have unveiled how Chinese mobile users are getting their devices hijacked via malicious apps whose ultimate goal is to serve a constant stream of ads.

In the first instance, a Chinese promotion company targeted Android users. In this second one, the victims are iOS users.

According to the researchers, YiSpecter “spreads via unusual means, including the hijacking of traffic from nationwide ISPs, an SNS worm on Windows, and an offline app installation and community promotion.”

“The malware has been in the wild for over 10 months, but out of 57 security vendors in VirusTotal, only one is detecting the malware at the time of this writing,” they pointed out.

The YiSpecter threat comes in four segments. The first, main app is delivered in one of the aforementioned ways, and pretends to be a legitimate app for watching videos. This app then installs another app called NoIcon. Finally, NoIcon downloads and installs ADPage and NoIconUpdate.

NoIcon collects device information and sends it to the C&C server, retrieves and executes remote commands, changes the iOS default Safari configuration, uninstalls legitimate iOS apps and installs fake versions of them, monitors other installed applications and hijacks their launch routine to use ADPage to display advertisements.

NoIconUpdate keeps the whole infection updated and running as it should.

But how can all these apps end up on users’ devices without being detected and blocked by Apple, you wonder?

“YiSpecters malicious apps were signed with three iOS enterprise certificates issued by Apple so that they can be installed as enterprise apps on non-jailbroken iOS devices via in-house distribution,” the researchers explained. “Through this kind of distribution, an iOS app can bypass Apples strict code review procedures and can invoke iOS private APIs to perform sensitive operations.”

It’s also very difficult for users to discover the last three apps on their phones: their icons don’t show on iOS’ SpringBoard (the desktop), making it impossible for them to select the app and uninstall it.

“Even though icons are hidden from the SpringBoard, YiSpecters author still has considered power users who may use third-party tools to manage iPhones or iPads. The author used special display app names and logos for these three apps to make them look like iOS system apps,” they added.

Thus, NoIcon masquerades as Passbook, ADPage as Cydia, and NoIconUpdate as Game Center.

The recently discovered XcodeGhost malicious apps showed that non-jailbroken iOS devices can be infected with malware, and so did WireLurker.

“The world where only jailbroken iOS devices were threatened by malware is a thing of the past”, the researchers noted. “WireLurker proved that non-jailbroken iOS devices can also be infected through abuse of the enterprise distribution mechanism. YiSpecter further shows us that this technique is being used to infect many iOS devices in the wild.”

Apple has been notified of YiSpecter, but is yet to comment on it.

If you think you might have been infected with these apps, check out Palo Alto Networks’ in-depth report for instructions on how to remove them and how to detect and block all malicious C2 traffic related to them.”