So far, the malware primarily affects iOS users in mainland China and Taiwan. It spreads via unusual means, including the hijacking of traffic from nationwide ISPs, an SNS worm on Windows, and an offline app installation and community promotion.
YiSpecter consists of four different components that are signed with enterprise certificates. By abusing private APIs, these components download and install each other from a command and control (C2) server. Three of the malicious components use tricks to hide their icons from iOS’s SpringBoard, which prevents the user from finding and deleting them. The components also use the same name and logos of system apps to trick iOS power users.
On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server. According to victims’ reports, all these behaviors have been exhibited in YiSpecter attacks in the past few months. Some other characteristics about this malware include:
- Whether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed
- Even if you manually delete the malware, it will automatically re-appear
- Using third-party tools you can find some strange additional "system apps" on infected phones
- On infected phones, in some cases when the user opens a normal app, a full screen advertisement will show
Moreover, recent research shows that over 100 apps in the App Store have abused private APIs and bypassed Apple’s strict code review. What that means is the attacking technique of abusing private APIs can also be used separately and can affect all normal iOS users who only download apps from the App Store.
Palo Alto Networks has released IPS and DNS signatures to block YiSpecter’s malicious traffic.