Over the weekend, security site Palo Alto Networks detailed a new iOS malware that’s able to infect non-jailbroken Apple devices using enterprise certificates and private APIs. It originated in Taiwan and China and was installed through several methods, including hijacking traffic from ISPs, an SNS worm on Windows, and offline app installation.
Called YiSpecter, the malware is able to download, install, and launch apps, doing things like replacing existing apps, displaying advertisements in legitimate apps, changing Safari’s default engine, and uploading user information to remote servers.
A popup ad that was able to install YiSpecter on iOS devices
In response to the detailing of YiSpecter, Apple has released an official statement to The Loop explaining that YiSpecter is only able to target iOS users who are running an older version of iOS that have also downloaded content from untrusted sources.
„This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources. We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps.“
Apple implemented fixes for YiSpecter in iOS 8.4, so iOS 8.4.1 and iOS 9 are immune to the malware. Users who want to avoid being targeted by YiSpecter should make sure to upgrade to the latest version of iOS and as always, should avoid downloading apps from unverified sources.
If you enjoy customizing your iPhone, jailbreaking can be a positive thing — although that doesn’t mean it comes without risks. According to a new report, around 225,000 Apple accounts have been stolen by malware on jailbroken iPhones, in what is claimed to be “one of the largest known thefts of its kind.” In some cases, this […]
After the discovery of several dangerous flaws in a few short weeks, Android’s security — or lack thereof — has been big news. Google has acted quickly to eliminate the Stagefright flaw that left 95% of Android devices vulnerable to attack, but others have since wormed their way out of the woodwork. Now fans are asking how these […]
Researchers from Palo Alto Networks (via The New York Times) have published a research paper on WireLurker, a malware new family that’s been infecting both Mac OS and iOS systems over the course of the past six months. The researchers say that WireLurker, which is targeting users in China, „heralds a new era in malware attacking Apple’s desktop and mobile platforms.“
The WireLurker malware is the „biggest in scale“ in the trojanized malware family, and it is able to attack iOS devices through OS X using USB. It’s said to be able to infect iOS applications similar to a traditional virus, and it is the first malware capable of installing third-party applications on non-jailbroken iOS devices „through enterprise provisioning.“
Thus far, WireLurker has been used in 467 OS X apps in the Maiyadi App Store, which is a third-party Mac app store in China. The apps have been downloaded 356,104 times, infecting hundreds of thousands of users.
According to the researchers, WireLurker looks for iOS devices connected via USB to an infected Mac, installing malicious third-party applications onto the device even without a jailbreak.
WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken. This is the reason we call it „wire lurker“. Researchers have demonstrated similar methods to attack non-jailbroken devices before; however, this malware combines a number of techniques to successfully realize a new brand of threat to all iOS devices.
WireLurker exhibits complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing. In this whitepaper, we explain how WireLurker is delivered, the details of its malware progression, and specifics on its operation.
Once installed, WireLurker can collect information from iOS devices like contacts and iMessages, and it’s able to request updates from attackers. It’s said to be under „active development“ with an unclear „ultimate goal.“
Palo Alto Neworks offers several recommendations for avoiding apps infected with WireLurker, including an antivirus product and Mac App Store installation restrictions that prevent apps from unknown third parties from being installed. Users should not download and run Mac apps or games from third-parry app stores, download sites, or other untrusted sources and jailbreaking should be avoided.
Unknown enterprise provisioning profiles must be avoided as well, and users should avoid pairing their iOS devices with unknown computers or charging with chargers from untrusted or unknown sources.
Palo Alto Networks has notified Apple of the malware, but an Apple spokesperson declined to offer a comment.