Less than a month after the discovery of XcodeGhost malware in the iOS App store, cyber security firm Palo Alto Networks has found a new iOS malware that it named YiSpecter. This first-of-its kind malware attacks both jailbroken and non-jailbroken iPhones.
Users in China and Taiwan are the only victims of this malicious software, which has been affecting iPhones for more than 10 months. However, only one of 57 security vendors in VirusTotal, a free service that analyses suspicious files and URLs, has detected the malware.
The malware has been in action since November 2014. The main iOS apps of this malware contain a functionality that enables watching free porn video online and were advertised as private version or version 5.0 of QVOD, a media player developed by Kuaibo. Since then, QVOD became popular among Chinese users sharing porn videos. The creator of YiSpecter claimed that their apps were alternatives of QVOD, following an investigation on Kuaibo by the local police in April 2014. The two main apps for the malware are HYQvod and DaPian.
YiSpecter, according to Palo Alto, consists of four components signed with enterprise certificates. By abusing APIs in an iOS system, these components download and install each other from a command control (C2) server. Three out of the four malicious components are capable of hiding their icons from iOS SpringBoard, and thereby prevent users from spotting them.
This notorious malware is capable of performing a slew of activities. Even though you successfully delete the malware, it automatically re-appears, according to victims who have found the malware. Nolcon is the primary malicious component of YiSpecter, which performs the following actions in an infected device:
- Connects to the command and control server via HTTP
- Uploads basic device information
- Retrieves and executes remote commands
- Changes the default Safari configuration
- Installs two malicious apps named AdPage and NolconUpdate
- Monitors the installed apps and seizes the launch routine to use ADPage to display advertisements
Developer of YiSpecter
Palo Alto suspects YiSpecter is developed by a company called YingMob Interaction, whose official site suggests that it is a Chinese mobile advertisement platform. Three malicious components in the YiSpecter are signed by YingMob Interaction's enterprise certificate. Palo Alto further claims to have found a README.md, which names the company in the app's release note.
YingMob Interaction has also developed an iOS helper tool dubbed HaoYi Apple Helper, which can help users install paid apps from iOS apps in the App Store without jailbreaking and also gives Apple IDs to users to avoid registration on Apple.
YiSpecter Vs XcodeGhost
While both YiSpecter and XcodeGhost attacks non-jailbroken iOS devices, they are different from each other and are developed by different attackers. Unlike XcodeGhost, which collects system and app information and uploads it to the server, YiSpecter exhibits the same behaviour but also installs additional apps.
What should you do to prevent YiSpecter
Palo Alto has released IPS signatures to detect and block malicious C2 traffic related to YiSpecters. It has also redesigned signatures to detect the queries for the C2 domains used by the malware. If your iPhone is infected by YiSpecter, perform the following steps to remove it.
- Go to Settings>> General>>Profiles and remove all unknown profiles
- If you find any new Chinese apps installed, delete them
- Use any third party management tool to connect with iPhone or iPad. Using the tool check all the installed iOS apps. Check if there are some apps like Phone, Weather, Game Center, Passbook, Notes or Cydia and then delete them.
Do not download any app that comes from an suspect sources, and download only from the official App Store, advises Palo Alto.