[Update]
Claud Xiao responded to my (very mild) criticism in the original article below, making several points I think are well worth making.
In the past 5 years, there were over 10 malware, Adware or PoCs can affect non-jailbroken iOS devices. Except for some PoCs, all others were developed by public iOS APIs. Which means, what they can do (and what they did) are predictable in some ways and are managed by the system. For example, the famous FindAndCall collected contacts’ phone numbers and sent to its C2 server for further abusing; the recent scammer Oneclickfraud displayed a page asking your to purchase.
Compare with them, the primary difference in YiSpecter is that it abused private APIs to implement some unexpected functionalities. For example, it can hijack other apps launching to display ad. Actually, compare with this malware itself, I more care about how this technique can be and will be used by others in the future. According to some academia works (referred in the report), an app can do pretty much sensitive operations by this way, and App Store’s review on it is still not strict enough. Most people may thought malware, Adware or PUP can’t have really harm infected non-jb iOS. But since YiSpecter, rules changed. This is what exactly I mean on its “different”.
Thanks for your clarification, Claud!
Here’s more excellent analysis from Claud Xiao for Palo Alto, this time on the YiSpecter malware: YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs.
The title and the article are slightly misleading in that Xiao states that:
YiSpecter is different from previously seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices through unique and harmful malicious behaviors.’
In fact, as pointed out for Fortinet last year – in an article called iOS Malware Does Exist – malware that can affect non-jailbroken devices was already known. Still, those examples look fairly puny compared to the impact that YiSpecter has had.
Articles that also refer:
- John Leyden for The Register: iOS malware YiSpecter: iPhones menaced by software nasty – World where only jailbroken iThings were vulnerable is ‘thing of the past’
- Graham Cluley for Intego: YiSpecter malware attacks iPhones and iPads to serve up ads
- Graham Cluley for his own blog: YiSpecter iPhone malware won’t spook you if you’ve kept iOS updated, says Apple
- Richi Jennings for Computerworld
*https://en.wikipedia.org/wiki/Spectre_(2015_film)
David Harley
Leave a Reply