ras-slava - Fotolia

New YiSpecter iOS malware affects non-jailbroken devices

Malicious actors have found new ways to attack non-jailbroken iOS devices, but experts say the YiSpecter iOS malware may not be as dangerous as it sounds.

New research has found iOS malware, called YiSpecter, has two unique characteristics: it abuses private APIs for malicious activity and it affects both jailbroken and non-jailbroken devices alike.

According to a blog post from Palo Alto Networks Inc.'s Unit 42 threat research team, the YiSpecter iOS malware has been found primarily in mainland China and Taiwan and has been active for the past 10 months. Even more troubling, YiSpecter is circulated through an enterprise distribution app, so it can be installed through a normal installation method on all iOS devices and not just the usual target for iOS malware of jailbroken devices. From a user perspective, the difference is that the installation will start with a link rather than through the iOS App Store.

Ryan Olson, director of threat intelligence for Unit 42, described the process as being fairly straightforward. When a user clicks a link to install the app, they will be redirected to a URL that looks legitimate and would normally point to an Apple URL. But, in this case it will point to an enterprise-signed installation URL controlled by the creator of the app, which will then provide the installation bundle.

"These apps were signed with enterprise certificates, meaning they were not from the official App Store, but they didn't need to be installed over USB," Olson said. "The users would have clicked a link and agreed to the installation of the enterprise signed app."

In addition to agreeing to install the app, Olson said users would also see a warning the first time the app was opened asking if the user is sure they want to open the app from the developer who created it.

"As long as they click 'continue' there, the app will run normally each time they open it," Olson said. "It's basically one extra hurdle, but it's not a big challenge for the user."

So, once the link is clicked, users running iOS 8 or older would see two warnings -- one to install the app and another to run it -- but, Apple has already changed the process in iOS 9 in order to make installing such malware more difficult.

Experts noted that in iOS 9, a user needs to approve enterprise certificates from specific developers in the settings menu before the installation process will be allowed to begin.

According to an Apple announcement, 50% of users had upgraded their devices to iOS 9 as of September 21st, less than one week after the update was released and days before the release of new iPhone hardware. 

The other unique characteristic of the YiSpecter iOS malware is the use of private APIs to conduct malicious activity. Olson said Apple prevents third-party apps from using private APIs because they can be used to perform actions outside of Apple's policies.

"Often times, the private APIs actually perform the heavy lifting after a published API call is made; the security checks may be implemented in the published API leaving the private one vulnerable," Olson said. "For instance, the published API might check whether an app is actually allowed to take an action (like sending a tweet) before calling the private API to actually send it. If the app could directly call the private API, the access control checks could be bypassed."

Olson and others suggested the best mitigation is in greater vigilance about what apps are installed and what enterprise certificates are trusted.

"Apple works very hard to prevent apps that use private APIs from getting into the App Store," Olson said. "There has been some academic research showing that they haven't been 100% successful, but their current process appears to be mostly effective."

Apple released a statement on the matter to The Loop:

"This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources. We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps."

Next Steps

Learn how to beat the risks of managing private and public APIs

See what goes into writing an effective mobile device security policy for the enterprise

Find out more about how crucial it is to inform users about mobile security

Dig Deeper on Mobile security threats and prevention