iPhone App Store malware alert: YiSpecter hid in plain sight for 10 months [u2]

And Apple ignored the problem for seven months, according to AV firm

iPhone malware YiSpectre Apple App Store

iPhone malware distributed via Apple's App Store. YiSpecter is the latest malicious app that Apple's crack security team let slip through the net -- despite being warned about the problem in February.

And now there are at least 100 officially blessed apps infected in the App Store. Some have lurked there since November.

More proof, were proof needed, that iOS is not invulnerable to malware.

Some say the problem is limited to China. But that doesn't seem credible, seeing as at least one of the vectors isn't regional.

In IT Blogwatch, bloggers eyeroll. Not to mention: More fascinating UNIX musings from Brian Kernighan...

curated these bloggy bits for your entertainment.
[Developing story: Updated 7:15 am and 11.26 am PT with more comment]


Newley Purnell and Josh Chin break the story:

Cyber security researchers have identified malware that targets users of Apple’s iOS mobile operating system. ... The news comes just two weeks after researchers said that in a first-of-its-kind security breach, [4,000+ iOS] apps were infected with a different kind of malware.

YiSpecter spreads via malicious code inserted into web pages, a PC worm, and various underground app distribution websites. [It] can affect not just devices...that have been “jailbroken”...but also non-jailbroken devices.

Apple did not immediately respond to a request for comment. ... It spread through Apple’s App Store and may have been exposed to millions of users, researchers said. ... Palo Alto Networks identified 23 different samples of YiSpecter that have been publicly available since last year.  MORE


And Tim "mea" Culpan 'fesses up:

[You're fired -Ed.]

Attackers are able to bypass Apple security measures intended to limit the spread of malicious code. ... YiSpecter began spreading as early as November 2014.

While similar [to XcodeGhost, it] was likely developed by a different organization and has the added ability to install applications while hiding the icon from the device’s screen.

A Beijing-based spokeswoman for Apple, wasn’t immediately able to comment on the report Monday, which is a public holiday in China.  MORE


Claud Xiao and friends discovered the problem:

It’s the first malware we’ve seen in the wild that abuses private APIs in the iOS system. ... Many victims have discussed YiSpecter infections of their...non-jailbroken iPhones in online forums and have reported the activity to Apple. [Yet it] has been in the wild for over 10 months.

It pushes the line barrier of iOS security back another step. ... Over 100 apps in the App Store have abused private APIs and bypassed Apple’s strict code review. What that means is the [malware] can affect all normal iOS users who only download apps from the App Store. ... YiSpecter began to spread in the wild in November 2014, if not earlier.

There are at least two main apps distributed in the wild thus far: HYQvod (bundle id: weiying.Wvod) [and] DaPian (bundle id: weiying.DaPian). ... They include the functionality of watching videos online by consuming credits and users can get credits by installing additional iOS apps. [And] it will download and install another malicious app we have named...NoIcon (bundle id: com.weiying.hiddenIconLaunch)...the main malicious component of YiSpecter. ... ADPage (bundle id: com.weiying.ad) is responsible for displaying advertisements. ... NoIconUpdate (bundle id: com.weiying.noiconupdate) regularly checks for other components’ existence, connects with the C2 server and report its installation information. [It] uses “bb800.com” as its C2 server’s domain name.

There is a lot of evidences that suggests YiSpecter was developed by a company named “YingMob Interaction (微赢互动)”. ... This attack vector breaks Apple’s security mechanisms and is likely to be abused in future attacks. ... We now know that abusing private APIs in the iOS system could be an independent attack technique and could affect all iOS users. ... Even apps from the App Store can also abuse private APIs for harmful operations.  MORE


Josh Horwitz is just horrified:

Two weeks after Apple suffered one of its biggest security blows ever, another strain of malware.

A source close to the matter [says] the vulnerability permitting YiSpecter’s spread has been fixed for iOS 9, the iPhone’s most recent operating system upgrade..  MORE


But Catherine Shu is on the other foot:

Three of the components can hide their icons from iOS SpringBoard (the...home screen) and even disguise themselves with the names and logos of other apps.

YiSpecter first spread by masquerading as an app that allows users to view free porn.  MORE


Free porn, you say? Cătălin "not Bakelite" Cimpanu explainifies:

Attackers created a malicious app, which they promoted as the QVOD Player version 5. QVOD is a discontinued mobile video player for adult content, which was shut down by Chinese authorities.

YiSpectre can affect...devices with the help of four components, all signed with enterprise certificates. These components allow the malware to bypass various Apple's built-in security protocols.

The malware was first seen [in] November 2014. ... Chinese antivirus company Qihoo [first] reported on it back in February 2015.  MORE


Update: Rahil Bhagat managed to get an answer out of Apple PR, but goes on to demonstrate the irony in the statement:

"We advise customers to stay current and only download content from the App Store and trusted sources. ... This particular vulnerability was indeed fixed in iOS 9.0."

The news comes two weeks after the XcodeGhost attack caused Apple to pull a host of trusted, high-profile apps.  MORE


So Liam Tung licks the cream from the story:

The YiSpecter malware...exploits the iOS system's private APIs [which] remain undocumented by Apple, possibly because they're not ready for wider use. ... Attackers are using those private APIs to infect iPhone and iPad owners who only install apps from the official App Store.

The discovery...follows the recent finding that over 4,000 apps laced with the XcodeGhost malware had leaked into the App Store.  MORE


Meanwhile, this pseudonymous tweep uses up one of their wishes:

Wish this was a surprise. That walled garden has some stones missing.  MORE


Update 2: Michael Mimoso mixes a mean drink:

Researchers warned that the November unveiling of the WireLurker malware...could turn out to be a blueprint for...iOS malware writers. [It] demonstrated how the abuse of Apple-issued enterprise developer certificates was an effective means of getting malicious code onto...iPhones and iPads.

YiSpecter...followed WireLurker’s lead and combined the use of certs...with the abuse of private APIs. ... The certificates cost $299 and are available only to vetted and verified businesses wishing to develop enterprise apps.

Academic research had...demonstrated the potential for abuse around these certs. ... The increased attention on the issue...caused Apple to respond in the recently released iOS 9 with a feature that forces users...to go through a couple of extra hoops.

The use of private APIs to install malicious apps is also worrisome in that it can be used to carry out a number of sensitive operations.  MORE


And Finally...
More fascinating UNIX musings from Brian Kernighan


You have been reading IT Blogwatch by , who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or itbw@richi.uk.  Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.