New Malware Infect Non-Jailbroken Devices

Recently researchers from Palo Alto Network have discovered a new iOS malware, called YiSpecter that can infect Jailbroken and Non-Jailbroken devices. It the first malware researchers seen to abuse private APIs in the iOS system and abuse the enterprise distribution mechanism. It is currently targeting users in China and Taiwan. Many users have already reported to Apple of the malware. YiSpecter haves been out for about 10 months. Since 2014, only one of the 57 venders from VirusTotal have detected YiSpecter as a malware which was Qihoo. Qihoo did not give out any samples so no other venders could detect YiSpecter.

So far, researchers found four different ways YiSpecter was spread. YiSpecter was disguised as a media player app such as “QVOD” and “DaPian”. The two apps would then download other malicious apps that are components to YiSpecter which are called: Nolcon, ADPage, and NolconUpdate. The malware was also spread from ISP’s traffic hijacking. There are some local ISPs in China supported DNS hijacking and internet traffic hijacking attacks. The third way YiSpecter was spread by was from the Lingdon worm. YiSpecter was also on offline app installations. Offline app installations is where a user downloads a developer’s app and get money for downloading it.

YiSpecter apps were singed with three iOS enterprise certificates. By doing this, it bypasses Apple’s strict code review. Though when installing the apps, the users now must have the profile of the enterprise as “trusted” and also must verify to open when executing for the first time.

Nolcon is a malicious complenent of YiSpecter. Nolcon can remove an already downloaded app on the iOS and replace it with a “fake” app. Nolcon will update regularly and see if other components of YiSpecter is still downloaded. Users who uninstalled the main app will still be infected. The components also have a function that make itself hidden on the springboard making it impossible to uninstalling it. Another Nolcon’s function is to hijack other apps with ads. Nolcon can change and modify the bookmarks and search engines of Safari. Lastly the app can collect data of the device such as apps installed, running processes, UUID, and MAC address.

Luckily, there is a way to remove YiSpecter by removing all unknown/untrusted profiles.

  • Go to Settings->General->Profiles and remove all unknown or untrusted profiles
  • Delete any apps named: “情涩播放器”, “快播私密版” or “快播0”
  • Use a third-party iOS management tool to delete the default iOS installed apps

Christopher Tu