{"id":46789,"date":"2015-10-05T14:03:31","date_gmt":"2015-10-05T21:03:31","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=46789"},"modified":"2016-10-07T11:31:22","modified_gmt":"2016-10-07T18:31:22","slug":"yispecter-malware","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/yispecter-malware\/","title":{"rendered":"YiSpecter Malware Attacks iPhones and iPads to Serve up Ads"},"content":{"rendered":"

\"YiSpector\"<\/p>\n

Just weeks after Apple was forced to rid its iOS App Store from apps poisoned by the XcodeGhost malware<\/a>, and mere months after the tech company pulled all iOS anti-virus apps, a new attack has come to light impacting owners of iPads and iPhones, bringing into question the sanctity of Apple’s walled garden.<\/p>\n

The new malware threat \u2014 which is capable of infecting iDevices whether they are jailbroken or not \u2014 has been named YiSpecter<\/a> by security researchers at Palo Alto Networks, and a report<\/a> in the Wall Street Journal<\/em> says that it has been spread with the help of a Chinese advertising network.<\/p>\n

YiSpecter is thought to have been spreading in-the-wild since at least November 2014, initially distributed as trojanised version of QVOD, a media player popular in China for watching porn videos. QVOD has since been discontinued after the Chinese authorities shut it down earlier this year, so it’s safe to assume that any QVOD video player should now be treated with suspicion.<\/p>\n

However, the YiSpecter malware has also infected iPhones and iPads through other unusual means, including the hijacking of traffic from Chinese ISPs, a Windows-based social networking worm, third-party app stores and direct promotion of trojanised apps on social networks and forums.<\/p>\n

Once in place the YiSpecter malware can install unwanted apps, replace legitimate apps with ones it had downloaded, display full-screen advertisements, meddle with Safari’s bookmarks and default search engine, and steal information about users. In a further flourish, YiSpecter can survive manual deletion from iOS devices by automatically reappearing.<\/p>\n

Researchers have described how YiSpecter has pretended to be legitimate apps, including Phone, Weather, Game Center and Passbook on infected devices.<\/p>\n

YiSpecter goes further than past attacks against non-jailbroken iPhones such as WireLurker<\/a>, by not just taking advantage of certificates issued under Apple’s iOS Developer Enterprise Program to roll-out bespoke apps within companies, but also exploiting private APIs.<\/p>\n

To date, it appears that YiSpecter has mostly affected users based in China and Taiwan, but clearly there is the potential for attacks like this to strike further afield.<\/p>\n

Palo Alto Networks offers the following removal advice for any users who believe that their iDevices might be affected by YiSpecter:<\/p>\n

\n