YiSpecter: New iOS malware attacks non-jailbroken devices

From the Palo Alto Networks blog post:

We recently identified a new Apple iOS malware and named it YiSpecter. YiSpecter is different from previously seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices through unique and harmful malicious behaviors. Specifically, it’s the first malware we’ve seen in the wild that abuses private APIs in the iOS system to implement malicious functionalities.

So far, the malware primarily affects iOS users in mainland China and Taiwan. It spreads via unusual means, including the hijacking of traffic from nationwide ISPs, an SNS worm on Windows, and an offline app installation and community promotion. Many victims have discussed YiSpecter infections of their jailbroken and non-jailbroken iPhones in online forums and have reported the activity to Apple. The malware has been in the wild for over 10 months, but out of 57 security vendors in VirusTotal, only one is detecting the malware at the time of this writing.


On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server. According to victims’ reports, all these behaviors have been exhibited in YiSpecter attacks in the past few months. Some other characteristics about this malware include:

  • Whether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed
  • Even if you manually delete the malware, it will automatically re-appear
  • Using third-party tools you can find some strange additional “system apps” on infected phones
  • On infected phones, in some cases when the user opens a normal app, a full screen advertisement will show

Palo Alto Networks is the company that put out the word on the recent GhostXcode malware.

  • Read Palo Alto Networks blog post. Looks like if you stay away from Chinese apps, and particularly ones that ask for special permission to install because they are enterprise apps (i.e. don’t load a company specific app unless you are actually part of that company and they told you to do so), then we should be relatively safe. Also, be wary of “gray market” apps (for jailbroken phones) as well as porn apps and websites. The usual on those last.

    Have I missed anything?

    Apple is going to have to do something to lock down the enterprise certificates, though. This has been a vector of trouble before.

  • Sigivald

    Important to note, as Mr. Lewis says, that the infection is via the “Enterprise Distribution” method, and you have to OK the installation.

    This should be a big red flag to people who aren’t, well, installing something their company sent them.

    (And the article says IOS9 simply disallows it unless you manually turn on trust for the profile, if I read it correctly.

    Good thing IOS upgrade adoption is massive and fast.)

    • Mikhail_T

      Correct, Apple is intentionally making it more difficult in the later iOS versions by forcing you to do multiple things to approve an enterprise profile.