How to Protect Against YiSpecter iOS Malware
Researchers at Palo Alto Networks recently identified a new iOS malware, called YiSpecter. YiSpecter differs from other variations of iOS malware in that it attacks both jailbroken and non-jailbroken devices. It is the first major iOS malware that uses Apple’s private APIs, allowing it to be more impactful. XcodeGhost disclosed earlier in the month relied only on approved Apple APIs, which limited its impact .
Moreover, YiSpecter propagates via unusual means: a few popular channels include Internet Traffic Hijacking, SNS Windows worm and community promotion. Though only recently discovered, YiSpecter has been around for over ten months. Currently, only one out of 57 virus scanners on VirusTotal detect this malware (we are sure this will change very quickly). We are very happy to let our customers know that the Enterprise Edition of Skycure detects and protects against YiSpecter and other known and unknown iOS malware.
The Impact of YiSpecter iOS Malware
Once installed and executed, YiSpecter utilizes a variety of private APIs (we are predicting that more and more hackers will make use of these in future) to install additional apps and hide them from the “desktop” (springboard), uninstall other apps (which might be other security apps) and replace them, hijacking the execution of other apps in order to show ads—and under certain conditions (in case of jailbroken devices) change Safari configurations.
Some (not all) of the techniques utilized by YiSpecter are already mitigated in iOS 9 (e.g., utilizing Enterprise provisioning profiles to lure victims to install apps outside of the app store). With the Enterprise Edition of Skycure, one could detect a variety of threats including the YiSpecter malware and apply relevant security and compliance policy to alert on, quarantine, or block infected devices.
In addition, we have put together a list of recommendations to allow end-users to be safe before other security solutions catch up on the detection and mitigation:
- Update to iOS 9 immediately
- On your iOS device, go to Settings > General > Profiles and remove any malicious profile or the profiles you do not recognize. (Profiles will not show up under General if you do not have any Profiles installed.)
- Use a trusted third-party iOS management tool and delete apps with names similar to Apple native apps such as Game Center, Notes, Phone, Passbook, etc. This will just delete the fake malicious apps and will not affect the native apps.
- Do not click on any dialogue boxes popping up on your phone unless and until you are sure about the action that caused them to appear. For example, on some infected devices, a full screen ad will appear on opening a normal app.
- Download Skycure from the Apple App Store and upgrade to the Enterprise Edition.
If you need help with assessing whether your organization is at risk because of YiSpecter or any mobile vulnerability, threat or attack, you can request a free trial of Skycure Enterprise Edition here.