Yispecter iOS malware infects devices that aren't jailbroken

iOS malware is nothing new, but for the most part, if your device wasn't jailbroken you really didn't have to worry about malware much. That has now changed with a new malware called Yispecter that has been discovered that attacks non-jailbroken iOS devices. The malware is the first seen that abuses private APIs in iOS to implement its malicious functionality.

Yispecter is affecting mostly iOS users that live in China and Taiwan for now and is spread via hijacking of traffic from ISPs, an SNS worm on Windows, and offline app installation and community promotion. The malware has been around for ten months but only one of the security vendors is able to detect the malware right now.

There are four components to Yispecter signed by different enterprise certificates. Those components download and install each other from a command and control server and hide their icons from iOS SpringBoard. That malicious behavior prevents the user from finding the apps and uninstalling them. Malware components also use the same names and logos of Apple system apps to avoid detection by power users of iOS.

The malware is able to download and launch iOS apps and replace existing apps with ones it downloads. It can also hijack the execution to display ability of other apps, change the default search engine in Safari, and upload device information to the C2 server.

Yispecter will automatically reappear when deleted and in some cases when an app is opened a full screen advertisement shows up. The malware can be removed manually if your device is infected by following the prevention and removal steps at the source below.

Update: It's worth noting that iOS 9 fixes the security hole, so anybody on iOS 8.3 or earlier is advised to update. Meanwhile, as long as you keep your downloading to just official App Store titles you should be fine; the malware is distributed through third-party sources.

SOURCE: Palo Alto Networks