Cybersecurity firm Palo Alto Networks has identified new malware, which it calls YiSpecter, that infects iOS devices by abusing private APIs. Most affected users live in China and Taiwan.
Once it infects a phone, YiSpecter can install unwanted apps; replacing legitimate apps with ones it has downloaded; force apps to display full-screen advertisements; change bookmarks and default search engines in Safari; and send user information back to its server. It also automatically reappears even after users manually delete it from their iOS devices.
Palo Alto Networks says YiSpecter is unusual for iOS malware—at least ones that have been identified so far—because it attacks iOS devices by misusing private APIs to allow its four components (which are signed with enterprise certificates to appear legitimate) to download and install each other from a centralized server.
In the post, Palo Alto Networks’ security researcher Claud Xiao wrote that by abusing enterprise certificates and private APIs, YiSpecter is not only able to infect more devices, but “pushes the line barrier of iOS security back another step.”
Three of the components can hide their icons from iOS SpringBoard (the standard app that runs the home screen) and even disguise themselves with the names and logos of other apps to escape detection from users. Palo Alto Networks says the malware has been infecting iOS devices for over 10 months, but only one out of 57 security vendors in VirusTotal, a free scanning service, is currently detecting it.
YiSpecter first spread by masquerading as an app that allows users to view free porn. It then infected more phones through hijacked traffic from Internet service providers, a Windows worm that first attacked QQ (an IM service by Tencent), and online communities where users install third-party apps in exchange for promotion fees from developers.
Last month, another malware called XcodeGhost infected almost 40 popular apps in the Chinese App Store, which is very unusual because Apple first subjects apps to strict reviews. Despite the unique nature of both malware, however, Palo Alto Networks says there is no evidence that XcodeGhost and YiSpecter are related.
TechCrunch has contacted Apple for comment.
Palo Alto Networks’ blog post has more information on YiSpecter, as well as detailed steps for removing it from devices.