Posted by: David Harley | October 6, 2015

YiSpecter: Drop your iPhone, Mr Bond*


Claud Xiao responded to my (very mild) criticism in the original article below, making several points I think are well worth making.

In the past 5 years, there were over 10 malware, Adware or PoCs can affect non-jailbroken iOS devices. Except for some PoCs, all others were developed by public iOS APIs. Which means, what they can do (and what they did) are predictable in some ways and are managed by the system. For example, the famous FindAndCall collected contacts’ phone numbers and sent to its C2 server for further abusing; the recent scammer Oneclickfraud displayed a page asking your to purchase.

Compare with them, the primary difference in YiSpecter is that it abused private APIs to implement some unexpected functionalities. For example, it can hijack other apps launching to display ad. Actually, compare with this malware itself, I more care about how this technique can be and will be used by others in the future. According to some academia works (referred in the report), an app can do pretty much sensitive operations by this way, and App Store’s review on it is still not strict enough. Most people may thought malware, Adware or PUP can’t have really harm infected non-jb iOS. But since YiSpecter, rules changed. This is what exactly I mean on its “different”.

Thanks for your clarification, Claud!


Here’s more excellent analysis from  for Palo Alto, this time on the YiSpecter malware: YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs.

The title and the article are slightly misleading in that Xiao states that:

YiSpecter is different from previously seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices through unique and harmful malicious behaviors.’

In fact, as Axelle Apvrille pointed out for Fortinet last year – in an article called iOS Malware Does Exist – malware that can affect non-jailbroken devices was already known. Still, those examples look fairly puny compared to the impact that YiSpecter has had.

Articles that also refer:


David Harley

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: