Dubbed YiSpecter it hooks into private APIs in the iOS system. It has been around for 10 months but only seen in China and Taiwan. Now it appears to be spreading.
Distribution methods have so far included hijacking of traffic from nationwide ISPs, a Windows worm, and an offline app installation and a community promotion. Normally the malware poses as a "private version" or "version 5.0" of QVOD which was a famous porn player. However it has been getting more cunning lately.
Each of YiSpecter's four different components are signed with an enterprise certificate, which means it appears legit.
It also uses the same name and logos as system apps and hiding their icons from iOS's SpringBoard, which prevents the user from finding and deleting them. Once installed the malware mounts a variety of cybercrime scams.
It downloads, install and launch arbitrary iOS apps, replaces existing apps with those it downloads, hijacks apps' to show adverts, changes Safari's default search engine, bookmarks and opened pages, and uploads device information to a command and control server.Manually removing YiSpecter is tricky but possible. Apparently praying to the ghost of Steve Jobs does not help at all.
WireLurker showed hackers how to infect non-jailbroken iOS devices by abusing enterprise certificates and it had been known that private APIs could be used to implement sensitive functionalities in iOS. YiSpecter managed to combine these two attack techniques.
Palo Alto Networks has released IPS (intrusion prevention system) and DNS signatures to block YiSpecter's malicious traffic. Apple has also been notified about the outbreak.
"The key techniques deployed in YiSpecter are bypassing App Store reviews using enterprise distribution and abusing iOS private APIs to perform sensitive operations," it adds