Researchers have discovered a new type of iOS malware, which they say can “attack both jailbroken and non-jailbroken” devices.
The team from Palo Alto Networks reported that the malicious software, which it has dubbed YiSpecter, is unlike any other iOS malware that it has come across.
ESET has detected this malware as a trojan with both variants iOS/YiSpecter.A and iOS/YiSpecter.B.
Currently specific to iOS users in China and Taiwan, the malware is thought to be the first of its kind to abuse private APIs in the mobile operating system to carry out harmful actions.
“It spreads via unusual means, including the hijacking of traffic from nationwide ISPs, an SNS worm on Windows, and an offline app installation and community promotion,” the security company explained.
“Many victims have discussed YiSpecter infections of their jailbroken and non-jailbroken iPhones in online forums and have reported the activity to Apple.”
The malware is comprised of four distinct components, which are signed with enterprise certificates.
Through taking advantage of private APIs, these four units are able to “download and install each other” from a command and control server.
Three of the components then embed themselves into iOS by using deceptive techniques that effectively conceals their icons from the operating system’s home screen (known as SpringBoard).
Palo Alto Networks said that the malware can, on infected iOS devices, download, install and launch arbitrary iOS apps.
Additionally, YiSpecter can substitute current apps with the ones that it deliberately downloads, “hijack other apps’ execution to display advertisements, change Safari’s default search engine ... and upload device information to the server”.
The security company has reported the malware to Apple, asking the tech giant to “revoke the abused enterprise certificates”.
Its general advice to users is to refrain from downloading apps that come from unofficial sources, which includes websites and developers that are not well-known.
