YISPECTER; a new iOS malware that is capable of attacking both jail-broken and non-jailbroken apple devices has been detected, which abuses private APIs and implements malicious functionalities.
|(PC- google images)|
This malware has been identified in Mainland China and Taiwan, and is hijacking the traffic from the countries’ ISPs. This has led to a huge outbreak of reports to Apple Inc. in the past few weeks and the existence of YISPECTER is being discussed on several online forums for the last months in which, out of the 57 top world cyber security systems, only one has been able to detect this specific malware
The malware comprises of four components which are co-dependent upon each other. With the approval of enterprise certificates, these components abuse private APIs and download files for each other from a command and control (C2) server. Three of them use complex tricks to hide their icons from the SpringBoard, that prevents detection and removal.
YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server from the infected iOS devices.
This malware has the capability to determine:
- Whether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed
- Even if you manually delete the malware, it will automatically re-appear
- Using third-party tools you can find some strange additional “system apps” on infected phones
- On infected phones, in some cases when the user opens a normal app, a full screen advertisement will show up.
YiSpecter began to spread in November 2014, as per the forums. The main iOS apps of this malware have user interface and functionality that enable the watching of free porn videos online, and were advertised as “private version” or “version 5.0” of a famous media player “QVOD”. QVOD was developed by Kuaibo and became popular in China by users of porn trafficking.
As far as now, there are two main apps distributed in thus far:
- HYQvod (bundle id: weiying.Wvod)
- DaPian (bundle id: weiying.DaPian)
Both of them were spread by one or more of the multiple ways described earlier. They include the functionality of watching videos online by consuming credits and users can get credits by installing promoted iOS apps . But most important, it will download and install another malicious app popularly named NoIcon.
The aforementioned apps install NoIcon in a peculiar way. The app opens an HTTP server and listens on port 8080 using [HYAppDelegate createLocalHTTP Server]. This downloads NoIcon’s IPA and PLIST files and then QVOD uses these local files to construct a local HTTP server that infects iOS and spreads the apps distribution.
From the evidences that have been collected, it is being suggested that a company named YingMob Interaction is the sole developer of YISPECTER. YingMob Interaction’s enterprise certificate. In the NoIconUpdate’s code, we even found a README.md which names the company in the app’s release notes. YiSpecter’s C2 server has hosted some websites belonging to YingMob. For example, if we directly visit the subdomain for YiSpecter’s downloading, qvod.bb800[.]com, we can find it’s an “WAP iOS Traffic Platform Backend Management System” with copyright information of YingMob Interaction.
The world where only jailbroken iOS devices were threatened by malware is a thing of the past. WireLurker proved that non-jailbroken iOS devices can also be infected through abuse of the enterprise distribution mechanism. YiSpecter further shows us that this technique is being used to infect many iOS devices in the wild.