back to article iOS malware YiSpecter: iPhones menaced by software nasty

The first iOS malware capable of attacking both non-jailbroken and jailbroken devices has surfaced online. The mobile malware nasty YiSpecter hooks into private APIs in iOS 8 to perform malicious actions, and has been in the wild for at least 10 months, mostly in China and Taiwan, since November 2014 if not earlier. YiSpecter …

  1. nsld
    Mushroom

    Joerg, oh Joerg wherefore art thou Joerg?

    Oh Joerg, someone is suggesting the Church of Jobs is less than secure, should you not be turning it upto 11 and attacking like a rabid hampster.

    This is clearly blasphemy and they should be burnt at the stake.........

  2. Haku

    Remember that film Elysium (2013)?

    This new Apple problem feels like some sort of sci-fi horror story where the upper echelon live in a heavily guarded 'bubble' where they can travel and do things completely free of any outside force doing bad things to them - until a monster breaks in and wreaks havoc because all the guards are on the outside.

    1. Dan 55 Silver badge

      Re: Remember that film Elysium (2013)?

      It's all gone to crap ever since Macs went over to x86. If only they'd stayed on POWER PC, they'd have been safer.

      1. Anonymous Coward
        Anonymous Coward

        Re: Remember that film Elysium (2013)?

        Dan55

        correct me if I'm wrong but isn't IOS (the topic here) ARM and not x86 ?

        1. Dan 55 Silver badge

          Re: Remember that film Elysium (2013)?

          Well I did try to make a link between Elysium and Apple.

          1. Destroy All Monsters Silver badge
            Paris Hilton

            Re: Remember that film Elysium (2013)?

            a link between Elysium and Apple

            I think ethereal chants and bright lights from above should be sufficient.

  3. tirk

    Fixed in iOS 9

    ...largely, at least. From the Paloalto Networks story:

    "Note that, in Apple’s just-released iOS 9, enterprise certificate security has been improved. Users now must manually set a related provisioning profile as “trusted” in Settings before they can install Enterprise provisioned apps."

    The majority of iOS devices are already upgraded to 9.

    (Any device can get malware on it if the software between the users ears isn't up to the job, of course)

    1. Velv Silver badge
      Headmaster

      Re: Fixed in iOS 9

      "The majority of iOS devices are already upgraded to 9."

      Well, not quite. Apple may have claimed >50% uptake, however that is only for iOS9 capable devices. There are hundreds of millions of devices out there for which Apple have not released a version of iOS9. (<=iPhone4, iPod Touch4, iPad1)

      1. tirk

        Re: Fixed in iOS 9

        @Velv

        Sorry, no - Apple claimed that 52% of all *active devices* were using iOS 9 a couple of weeks ago, not just of all applicable devices.

        http://tinyurl.com/p9xjrj6

    2. DougS Silver badge

      Re: Fixed in iOS 9

      This is good know - after the first story about malware using enterprise certificates I was thinking they needed to tighten up the protections on that since a certain group of people will just click "OK" if they're told to.

      I suppose even with this fix there are some who will follow instructions to go into settings and mark a particular profile as trusted if told to, but at some point it is no longer possible to protect people from themselves! You can have all the security policies in the world, but if someone is able to phone up the CEO's secretary claiming to be from IT and ask for his email password then they don't mean much.

      I wonder if Apple has the ability to revoke enterprise certificates? It isn't clear whether someone is using a legitimate corporation's enterprise certificate or obtaining one from Apple only to distribute malware. If its the latter revoking it would be no problem, if it is the former it could potentially cause a lot of problems for the enterprise - but maybe that would encourage enterprises to be guard them more closely.

    3. Mark 65 Silver badge

      Re: Fixed in iOS 9

      That's good to hear, but are we now any better protected from the 5-eyes Smurf suite of smartphone malware?

      1. DougS Silver badge

        Re: Fixed in iOS 9

        If nothing else, the constant stream of updates to iOS would handicap them, as even if they have an exploitable hole that they can use to install malware on your iPhone, it is likely to be erased when you upgrade iOS. Once they get it on an Android phone, it is more likely to live there forever as they might get an update or two when the phone is still new, but once you have your last update if they get malware on there it is probably there for the life of your phone.

  4. Anonymous Coward
    Anonymous Coward

    Heavy on doom and sensation, light on detail

    It's a lot of screeching and very few actual problems.

    1 - notice that the ENTIRE blog is about events in China & Taiwan, not here. But let's assume someone will use that code, well then ..

    2 - .. Apple's security model has not actually been breached - this uses the Enterprise application install which means you must install the profile for this first. Despite all the effort to make it sound like a drive-by infection, it is certainly not as it requires the user to accept the installation of a certificate, something that's even harder to do in iOS9. Naturally, that was buried deep down in the article or the sensationalism would not work:

    There is one disadvantage to using this method for installation compared to the official App Store: when these apps are executed for the first time iOS displays a dialog to notify the user that the apps are from a specific developer (Figure 13). However, many iOS users may simple click “Continue” and not be aware of the security implications of their choice.

    It's worth keeping up with updates: Note that, in Apple’s just-released iOS 9, enterprise certificate security has been improved. Users now must manually set a related provisioning profile as “trusted” in Settings before they can install Enterprise provisioned apps.

    So, is the sky falling? Nope. Are there infected Apps in the App store? Well, no, they are provided from elsewhere. The only thing an iOS user could wish for for extra security is a way to simply block the installation of Enterprise certs, but about the only proper takeaway from this story is that you have to be very wary in China and Taiwan of your connections, and not say "yes" to any strange popup. The latter is something you ought to know already...

    1. Dan 55 Silver badge
      Meh

      Re: Heavy on doom and sensation, light on detail

      Also worth adding that this gets on the iDevice by "third party app stores" which abuse enterprise certificates and sideload via USB. So, yes, YiSpecter bypasses App Store reviews by bypassing the App Store.

      I imagine quite a few iPhones are safe. Practically all of them outside those countries where people routinely use dodgy app stores.

      1. Anonymous Coward
        Anonymous Coward

        Re: Heavy on doom and sensation, light on detail

        Have to love Apple loyalty.

        Recent events have shown that well organised individuals / criminal gangs / foreign governments are actively targetting iOS devices, with varying degrees of success, and using different attack vectors. This latest attack has, apparently, been in the wild for months without detection, and the recent Xcode shambles resulted in thousands of malware-ridden apps cruising past Apple's legendary App Store police without detection, relying on a developer to notice something strange with an app they were developing.

        Still, it's all OK. It's in China, it's easily fixed in iOS 9.x, Apple will release a fix really quick, much quicker than Google ever could.

        Nothing like relying on a quick cure than worrying about the cause, eh?

        Wake up, Apple is a target and is being breached. These recent attacks are ones that have been identified, how many more are there? Can you really be sure that the apps you get from the App Store are safe? If it takes 10 months to find an attack, how much info could have been stolen in that time?

        1. Naselus

          Re: Heavy on doom and sensation, light on detail

          "Wake up, Apple is a target and is being breached."

          Have an upvote for sanity, to balance out the hundreds of downvotes you'll get for implying Apple aren't perfect.

          Apple's approach to security assumes they're smarter than the enemy. That's exactly not how security professionals are taught. Always presume there's someone brighter than you who can crack anything you build.

          1. asdf Silver badge

            Re: Heavy on doom and sensation, light on detail

            >"Wake up, Apple is a target and is being breached."

            Still less than its only viable competitor which sucks all around. If only BB and Microsoft weren't hell bent on failing.

            1. This post has been deleted by its author

              1. Anonymous Coward
                Anonymous Coward

                Re: Heavy on doom and sensation, light on detail

                >people for whom convenience is more important than security.

                Convenience like non butt ugly phones or a phone OS not years behind until it was too late?

        2. Fred Flintstone Gold badge

          Re: Heavy on doom and sensation, light on detail

          the recent Xcode shambles resulted in thousands of malware-ridden apps cruising past Apple's legendary App Store police without detection, relying on a developer to notice something strange with an app they were developing.

          I think that did unearth a pretty serious problem with the App Store security: it didn't pick up that apps were compiled with an Xcode that was altered. Admittedly, I have no idea how they would have picked his up, and I hope they find a way, but to me it suggests that some of this checking relies on dangerous or at least flawed assumptions. That needs looking into IMHO - I doubt it'll be the last time that someone starts with questionable fundamentals, and that may not be by accident either.

        3. Anonymous Coward
          Anonymous Coward

          Re: Heavy on doom and sensation, light on detail

          @ "Have to love Apple loyalty."

          There is truly no telling some people.

          Present the facts and they'll ignore them, twist them, add some bollocks and regurgitate nonsense, then people will upvote the comment even though it's built in nonsense.

          The exploit involves the user deliberately accepting enterprise certificates to then install dodgy software from dodgy sources. It's not like apple software hasn't got safeguards to make it awkward for users to install malware laden apps from non Apple stores.

        4. PC1512

          Re: Heavy on doom and sensation, light on detail

          Oh give over. I've been listening to people like you making dire warnings about Apple "becoming" a target for many years now. You know what? Apple has always been a target. Certainly since the first iPhone launched, they've had a significant user base which is extremely attractive to the malware vendors. The question is not whether they are being targeted but how many of these attacks are actually effective or on target, and the truth you need to accept is precious few.

          Like it or not, this "attack" is just another case of Apple's defences working perfectly, for the vast majority of users. As soon as you read between the shouty headlines and smug panic mongering, the truth of the matter is quite apparent - unless you deliberately and knowingly chose to install software from outside the App Store, your phone is perfectly safe. Nothing has been bypassed here, there is no exploit, no weakness in iOS, the only problem is users being tricked into doing something stupid. The only possible "fix" for that, making it harder for them to do that stupid thing, has already been enacted in iOS 9 - an update which, in stark contrast to other mobile platforms, has already been pushed directly to those same users.

          But it's ok, you keep on bleating about every tabloid headline you read, ignore the crucial facts in these stories, and then call the other guys sheep...

          1. Anonymous Coward
            Anonymous Coward

            Re: Heavy on doom and sensation, light on detail

            You know what? Apple has always been a target. Certainly since the first iPhone launched, they've had a significant user base which is extremely attractive to the malware vendors.

            Couldn't have said it better myself. The very fact that the kit is expensive is a self-select for criminals because it means there is money to be had, and the volume is big enough to make it worth it. I suspect Apple knows this too - getting it relatively safe is quite an investment to make.

    2. Anonymous Coward
      Anonymous Coward

      Re: Heavy on doom and sensation, light on detail

      notice that the ENTIRE blog is about events in China & Taiwan, not here

      Where is here? Are you assuming everyone lives where you or that apps on the internet are more regionalised than they actually are?

  5. Dan 10

    Geordie Bond Fan

    Am I the only one pronouncing that as "Why-aye Specter"?!

  6. J J Carter Silver badge
    Big Brother

    Siri must now be regarded as a fifth-columnist

  7. Fitz_

    Sorry to rain on El Reg's daily Two Minutes Apple-Hate

    ...but this issue was fixed in iOS 8.4.

  8. Your alien overlord - fear me

    Pity these private APIs weren't openly published. I'm sure there are a lot of legit programmers who would like to sell their app without paying AppleTax.

  9. Mike Bell

    Since Apple don't talk directly to El Reg,

    one has to look elsewhere to find an official response...

    "This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources. We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps."

  10. Swordmaker

    This claim is FUD as Apple has already closed the vulnerability

    Apple announced yesterday that all versions of iOS since the update to iOS 8.4 which was released on June 30, 2015 are immune to YiSpecter. The immune versions include all devices with iOS 8.4.1, iOS 9, 9.0.1, and iOS 9.0.2 installed. . . so if you are a user with those iOS versions installed, there is nothing to worry about.

    To get infected you have to be using an iPhone or iPad using a version of iOS 8.3 or older and then download an app from a NON-Authorized source (an un-authorized App Store or website), ignoring the warnings, and allow it to install. These are basically side-loaded using Enterprise Business Certificated apps which were intended to allow businesses to install and update their private proprietary apps on employees' devices.

    This is something that has been a practice and a problem in China for a number of years and has fostered a number of third-party unauthorized app stores selling un-authorized apps, mostly to jailbroken iPhones using borrowed or stolen Enterprise certificates. Last year almost 65% of the apps on these stores had some kind of malware associated with them. . . These side-load stores were also the source of the over 4000 XcodeGhost apps that were falsely attributed to being in the Chinese Apple Store when there were actually fewer than fifty.

  11. WereWoof

    A Geordie creation?

    YiSpecter - Why Aye Man!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019