Until recently, iOS device users have had a relatively quiet ride on their mobile computing journey, particularly compared to their Android-owning counterparts. Apart from the odd threat popping up here and there, there’s not much to speak of in terms of major malware issues for iOS. But this status quo is starting to change.
This year, Symantec has seen an uptick in threats hitting the iOS platform. YiSpecter (IOS.Specter) is the latest piece of malware that continues the trend of increasing attacks against iOS devices. The malware is designed to target Chinese speakers and has affected East Asia, particularly China and Taiwan. We understand that the threat is being distributed through alternative app stores, hijacked internet service provider (ISP) traffic redirecting users to download YiSpecter, forum posts, and social media.
YiSpecter is a Trojan horse for both jailbroken and non-jailbroken iOS devices which is designed to perform a range of functions, but essentially provides the basis for a back door onto the compromised device and installs adware. The Trojan can allow an attacker to perform a range of functions such as uninstalling existing apps, downloading and installing new fraudulent apps, displaying advertising in other apps that are installed on the device, and much more.
Abusing enterprise certificates to target non-jailbroken devices
YiSpecter is an iOS threat that takes advantage of the enterprise app provisioning framework. In legitimate uses of the framework, businesses can avail of enterprise certificates to provide private apps to their own workforce without making them publicly available on the official App Store. Apps built and signed with the certificates do not need to be vetted by Apple before being distributed outside of the App Store. This gives the certificate owner more scope to develop apps with features that would otherwise be rejected by Apple.
The malware creator used iOS enterprise certificates to package and sign their threat. They could have gained access to the certs in a few ways:
- Registering with Apple as an enterprise, paying the necessary fees, and going through the vetting procedure
- Stealing the cert from an existing registered developer
- Partnering with a registered developer
Once YiSpecter’s creators have the enterprise certificate, they are in a position to create and distribute their apps to potentially any iOS device without further oversight from Apple. It should be noted that if Apple learns of the misuse of an enterprise certificate, the company could instantly revoke the cert and render the signed apps useless.
A common feature of enterprise-signed apps is that they can generally only be installed after the user accepts the request to trust the app or developer. From past experience, Symantec knows that asking the user whether they trust an app or developer is rarely an effective security measure but this is still a line of defense that needs to be crossed before the malware can be installed.
Invoking private APIs
YiSpecter can carry out a lot of advanced functionality because it uses Apple’s own private APIs to perform activities that standard iOS apps can’t. These APIs are designed to allow Apple’s apps to carry out a range of system-level actions. iOS developers are not supposed to use these APIs in their apps.
Any third-party apps that use these private APIs are rejected from inclusion on the Apple App Store. YiSpecter ignores the official App Store, instead relying on unofficial distribution channels to spread the malware. As a result, the threat can take advantage of the private APIs for its own purposes.
The idea of invoking the private APIs in iOS is not a new idea, but it was not something that we had seen before in iOS malware. Similarly, the abuse of enterprise provisioning is a well-known problem dating back a number of years.
What YiSpecter has demonstrated is that when these two techniques are combined, the potential for misuse is high. Now that the combination of these techniques have been proven, we may yet see copycat threats in future.
iOS device owners are advised not to download and install apps from untrusted sources. Instead, they should only download apps from the official App Store or from their company’s own approved app library.
We would also recommend that iOS users should avoid jailbreaking their devices. This practice violates the terms of the iOS license agreement and puts the device at an increased risk of attack.
Users should ensure that the device’s operating system and software are up to date with latest patches.
Symantec has listed top tips on how to better secure your iOS device from attacks.