This post is also available in: 日本語 (Japanese)
We recently identified a new Apple iOS malware and named it YiSpecter. YiSpecter is different from previously seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices through unique and harmful malicious behaviors. Specifically, it’s the first malware we’ve seen in the wild that abuses private APIs in the iOS system to implement malicious functionalities.
So far, the malware primarily affects iOS users in mainland China and Taiwan. It spreads via unusual means, including the hijacking of traffic from nationwide ISPs, an SNS worm on Windows, and an offline app installation and community promotion. Many victims have discussed YiSpecter infections of their jailbroken and non-jailbroken iPhones in online forums and have reported the activity to Apple. The malware has been in the wild for over 10 months, but out of 57 security vendors in VirusTotal, only one is detecting the malware at the time of this writing.
YiSpecter consists of four different components that are signed with enterprise certificates. By abusing private APIs, these components download and install each other from a command and control (C2) server. Three of the malicious components use tricks to hide their icons from iOS’s SpringBoard, which prevents the user from finding and deleting them. The components also use the same name and logos of system apps to trick iOS power users.
On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server. According to victims’ reports, all these behaviors have been exhibited in YiSpecter attacks in the past few months. Some other characteristics about this malware include:
- Whether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed
- Even if you manually delete the malware, it will automatically re-appear
- Using third-party tools you can find some strange additional “system apps” on infected phones
- On infected phones, in some cases when the user opens a normal app, a full screen advertisement will show
YiSpecter is the latest in a line of significant malware families to target iOS devices. Previously, the malware WireLurker demonstrated the ability to infected non-jailbroken iOS devices by abusing enterprise certificates, and academic researchers have discussed how private APIs can be used to implement sensitive functionalities in iOS. However, YiSpecter is the first real world iOS malware that combines these two attack techniques and causes harm to a wider range of users. It pushes the line barrier of iOS security back another step.
Moreover, recent research shows that over 100 apps in the App Store have abused private APIs and bypassed Apple’s strict code review. What that means is the attacking technique of abusing private APIs can also be used separately and can affect all normal iOS users who only download apps from the App Store.
Palo Alto Networks has released IPS and DNS signatures to block YiSpecter’s malicious traffic. This blog also contains suggestions for how other users can manually remove YiSpecter and avoid potential similar attacks in the future. Apple has also been notified.
On February 7, 2015, Qihoo 360 and Cheetah Mobile, two security companies in China, posted analysis reports separately about a Windows worm named “Lingdun(灵顿)”. The Lingdun worm hijacked victims’ QQ sessions (a popular IM program produced by Tencent) and sent malicious links to their QQ contacts. According to those reports, if a user clicked the malicious links using Android or iOS devices, an Android Adware or an iOS Adware would be installed. Qihoo 360 and Cheetah Mobile found the installed apps’ main behavior is to prompt other mobile apps and classify them as Android and iOS variants of the Lingdun worm.
Figure 1. Access Lingdun's webpage with an iPhone will infect the device with YiSpecter
After further investigation, however, we think their analysis is incomplete and has led to an incorrect conclusion. The iOS app spread by Lingdun and the malicious components it installs have different developers, different Command and Control (C2) servers, different purposes, and different code signing certificates. Therefore, we don’t believe them to be variants of the Lingdun worm but instead separate malware using the Lingdun worm to spread. Additionally, we found these iOS apps have many more malicious functions than previous disclosed. Hence we do not refer to this malware family as Lingdun and have given it the new name YiSpecter.
Qihoo 360 and Cheetah Mobile didn’t share samples of YiSpecter with the security community nor did they disclose file hash values we could use to identify their samples. As a result, until now, no other security vendor has detected YiSpecter as malware.
In the course of our investigation, we found 23 samples of YiSpecter were submitted to VirusTotal from different countries between November 2014 and August 2015. Except for Qihoo, the 56 antivirus engines included in VirusTotal didn’t detect these files (as shown in Figure 2). Qihoo’s detection result uses the meaningless name “virus.ios.hidden”. It is also worth noting that all of these samples belong to YiSpecter’s main apps, and its three additional malicious components were not uploaded to VirusTotal until we published this report. All of these samples are listed at the end of this report.
Figure 2. YiSpecter is not detected by nearly all AntiVirus programs
Uncommon Spreading Methods
YiSpecter began to spread in the wild in November 2014, if not earlier. The main iOS apps of this malware have user interface and functionality that enable the watching of free porn videos online, and were advertised as “private version” or “version 5.0” of a famous media player “QVOD”. QVOD was developed by Kuaibo(快播) and became popular in China by users who share porn videos. Kuaibo was investigated by a local police department in April 2014 and at the same time their online video playing service was terminated. After that event, the attackers behind YiSpecter began to claim their app as an alternative QVOD to attract users into installing their software.
So far we have identified four different mechanisms YiSpecter uses to infect phones.
Internet Traffic Hijacking
Many users based in mainland China and Taiwan have discussed their infections by YiSpecter online (we will introduce these discussions in next section.) From their discussions and reports, we found that more than half of the infections came from pop-up dialogs displayed when browsing famous news websites.
For example, Figure 3 shows a screenshot posted to Apple’s official support community. It shows that when the author was browsing ITHome.com, an abnormal pop-up dialog asked him to install a “QVOD Private Version” player to “watch special movies”.
Figure 3. Ads and pop-up dialog were injected into normal Internet traffic
Based on the user’s discussions, we found the problem only occurred when they were using WiFi networks in their homes; mobile networks and office networks didn’t appear to be affected. Some non-jailbroken iPhone users tried to clear cookies, reset iOS, change their iCloud accounts, and block pop-ups in Safari, but these operations didn’t resolve the problem. However, if they used a third party mobile browser with built-in proxy functionality to access the same webpage, the advertisements disappeared. One user even called his ISP’s service phone number to complain and the problem was resolved – these advertisements never appeared again. Based on this information, we believe that ISP’s traffic hijacking was used to spread the malware in these cases, and not a malicious third party.
According to analysis reports by Qihoo 360 and Cheetah Mobile, YiSpecter was also spread by the Lingdun worm.
Lingdun uses fake VeriSign and Symantec certificates to bypass malware detection systems. Its primary goal is to download and to install additional Windows software onto a PC. Most of this additional software is benign but at least one installation was malicious. The malware fetches the current user’s QQ authorization token by accessing Tencent’s unified login interface, then acquires a key to access all QQ services. Specifically, it will access the QQ Discussion Group’s file sharing interface to upload malicious HTML files. These HTML files have names including pornographic and sexually suggestive words and will be shared with all other QQ users in the same discussion group.
Figure 4. A malicious webpage uploaded by Lingdun worm
If other QQ users access these malicious HTML files, the webpage will determine their devices’ type by User-Agent value and distinguish Windows, Linux, Android, iOS (including iPhone and iPad), and Windows Phone. If the device is Android, the session will be redirected to download an Android Adware that prompts the user to install other porn apps. If the device is an iPhone or iPad, the session will be redirected to download the YiSpecter malware (Figure 1).
We listed hash values of all public available samples of Lingdun worm at the end of this article.
Offline App Installation
During our investigation, we found that the main YiSpecter apps were also published on multiple underground app distribution websites (Figure 5).
In an underground or “gray” mobile app ecosystem, mobile app developers (including malware authors) will post tasks of distributing their apps to these kinds of websites. Distributors will then accept these tasks, and install the apps on other users phones to earn a promotion fee from developers. For example, some third-party mobile phone retailers and maintenance suppliers will install apps on any mobile phone they can access; and mobile malware developers also install apps to earn income from devices they have infected.
Figure 5. YiSpecter apps were listed in underground app distribution websites
From one of these websites (Figure 5), we see that many tasks to distribute YiSpecter were created in May 2015 and July 2015. The promotion fee for one installation is between 1.80 and 2.50 RMB (about US $0.30 to $0.40.) These tasks’ descriptions also showed that the YiSpecter apps have a backend system to automatically track installations, thus distributors do not need to provide screenshots to prove their successful infections.
We also found that YiSpecter’s author tried to directly promote their malicious apps on social networks and in public communities. For example, in a popular Chinese online forum, we found a user posted an article in January 2015 recommending the YiSpecter apps as good replacement for QVOD player. The user’s account name is “HaoYi Apple Helper(好易苹果助手)”, which is exactly the name of another product YiSpecter’s author developed. We will describe YiSpecter’s author in more detail in later sections.
Figure 6. YiSpecter's author recommends the app in public forum
Attacks and Victims
While analyzing YiSpecter’s code, we searched for keywords related to its distribution channels and user interface in Google, and found many victims from mainland China and Taiwan discussing their infections in online forums and social networks including Zhihu, Douban, Weiphone, CocoaChina, Baidu Zhidao and Mobile01.
For example, one malicious component in YiSpecter shows an interface containing the words “Cydia is detecting and protecting” in Chinese (Figure 25). Google showed about 2,580 results by searching for this Chinese sentence (Figure 7).
Figure 7. Search for YiSpecter's user interface keyword
Based on these search results, we found some interesting facts about the malware:
- Whether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed
- Even if you manually delete the malware, it will automatically re-appear (Figure 8)
- Using third-party tools you can find some strange additional “system apps” on infected phones
- On infected phones, in some cases when the user opens a normal app, a full screen advertisement will show
We explain the details of how this happens in the malicious behaviors analysis section below.
Figure 8. Taiwanese victim writes that the malware reappeared aafter deleting
YiSpecter Components and C2 Server
YiSpecter consists of four different components: various main apps that are distributed through the means described earlier, and three different malicious apps that are installed by these main apps. All samples analyzed and discussed in previous research are the various main apps, while the three malicious apps have not been revealed before.
As far as we know, there are at least two main apps distributed in the wild thus far:
- HYQvod (bundle id: weiying.Wvod)
- DaPian (bundle id: weiying.DaPian)
Both of them were spread by one or more of the multiple ways described earlier. They include the functionality of watching videos online by consuming credits and users can get credits by installing additional iOS apps it promotes (Figure 9). But most important, it will download and install another malicious app we have named NoIcon.
Figure 9. Main app ask users install other iOS apps to earn credits
NoIcon (bundle id: com.weiying.hiddenIconLaunch) is the main malicious component of YiSpecter. It takes the following actions on an infected device:
- Connect to the command and control server using HTTP
- Upload basic device information
- Retrieve and execute remote commands
- Change the iOS default Safari configuration
- Silently install two additional malicious apps “ADPage” and “NoIconUpdate”
- Monitor other installed applications and hijack their launch routine to use “ADPage” to display advertisements
Additionally, NoIcon can be remotely controlled to download and install arbitrary iOS apps from the C2 server or uninstall any existing apps in iOS system.
ADPage (bundle id: com.weiying.ad) is responsible for displaying advertisements when NoIcon hijacks the execution of legitimate apps.
NoIconUpdate (bundle id: com.weiying.noiconupdate) regularly checks for other components’ existence, connects with the C2 server and report its installation information. It also checks for updated versions of the malware and installs them.
YiSpecter uses “bb800.com” as its C2 server’s domain name. In VirusTotal, there are 38 records of subdomains under this domain name. Sixteen of them have been used by Android Adware for years, e.g., ad.bb800[.]com and down.bb800[.]com. Another subdomain, ty1.bb800[.]com, was used by a Windows virus Almanahe.B.
YiSpecter uses these subdomains:
- iosnoico.bb800[.]com: used to upload information, download configs and commands, download malicious components (Figure 10)
- qvod.bb800[.]com: used to download main app
- qvios.od.bb800[.]com: used to download main app
- dp.bb800[.]com: used to download promoted iOS apps
- iosads.cdn.bb800[.]com: used to download promoted iOS apps and malicious components
Note that the main C2 subdomain, iosnoico.bb800[.]com, is not observed in VirusTotal and also has no results in Google searches.
Figure 10. C2 server access logs in cache in a victim's iPhone
In some online articles, YiSpecter’s author posted URLs like “https://qvod.bb800[.]com/itms-services/jx152” for readers to download its main apps. When accessing these URLs from iPhone or iPad, victims are redirected to URLs like “itms-services://?action=download-manifest&url=https://qvod.bb800.com/assets/upload/3794.plist”. Here “itms-services://” is a protocol used by iOS for enterprise app distribution (Figure 11). Through crawling these URLs, we found at least 102 versions of main apps that developed from Nov 2014 to Sep 2015.
Figure 11. PLIST file hosted by C2 server for YiSpecter's installation
Malicious Behavior Analysis
In this section, we’re going to describe the malicious behaviors seen in each component of YiSpecter. The samples we analyzed are listed in the Appendix and will be shared with security community for research and detection.
Abusing Enterprise Certificates
YiSpecter’s malicious apps were signed with three iOS enterprise certificates issued by Apple so that they can be installed as enterprise apps on non-jailbroken iOS devices via in-house distribution. The “main” apps used a certificate for “Changzhou Wangyi Information Technology Co., Ltd.” and then later used a certificate from “Baiwochuangxiang Technology Co., Ltd.” The three malicious components all used the same certificate belonging to “Beijing Yingmob Interaction Technology co, .ltd” (Figure 12).
Figure 12. NoIcon used enterprise certificate for YingMob Interaction
Through this kind of distribution, an iOS app can bypass Apple’s strict code review procedures and can invoke iOS private APIs to perform sensitive operations. There is one disadvantage to using this method for installation compared to the official App Store: when these apps are executed for the first time iOS displays a dialog to notify the user that the apps are from a specific developer (Figure 13). However, many iOS users may simple click “Continue” and not be aware of the security implications of their choice.
Note that, in Apple’s just-released iOS 9, enterprise certificate security has been improved. Users now must manually set a related provisioning profile as “trusted” in Settings before they can install Enterprise provisioned apps.
Figure 13. iOS displays a dialog the first time a user opens an enterprise-signed app
The enterprise distribution program was designed for companies and organizations to distribute private iOS apps internally. WireLurker and YiSpecter’s usages obviously violate the license and the spirit of this program.
Installing Malicious Apps
Each time a user opens the main app of YiSpecter, it will invoke the[HYOwner checkI0S8_3AndJaikbreakOrNot] function. This function checks whether the current iOS system is older than version 8.3 and then determines if NoIcon is already installed. After that it checks whether the device is jailbroken or not by attempting to access a “cydia://” URL.
If the infected device has an iOS version less than 8.3, and NoIcon hasn’t been installed yet, whether the device is jailbroken or not, YiSpecter will invoke the function [HYAppDelegate requestNoicon:] to download the NoIcon IPA installer and PLIST manifest files (Figure 14).
Figure 14. Main app downloads NoIcon for both jailbroken or non-jailbroken devices
The main app installs NoIcon in a unique way. The app opens an HTTP server and listens on port 8080 using [HYAppDelegate createLocalHTTP Server] (Figure 15). After downloading the NoIcon’s IPA and PLIST files, it will use these files’ local path to construct a local HTTP URL and displays an alert dialog with meaningless title and button text to the user (Figure 16). If the user clicks the button in the dialog, the HTTP server will handle the local HTTP URL and NoIcon will be installed using the itms-service protocol. With this mechanism YiSpecter uses the infected iOS device as an enterprise apps’ distribution server.
Figure 15. Main app launched a local HTTP server
Figure 16. Main app construct NoIcon installation URL and prompt alert dialog
After NoIcon is installed, it will install two more malicious apps: ADPage and NoIconUpdate. After downloading ADPage and NoIconUpdate’s IPA installer files, NoIcon did not use an HTTP server like the main app, but used iOS’s private APIs defined in private framework MobileInstallation to install them (Figure 17). More specifically, NoIcon invokes the MobileInstallationInstall methods implemented in the framework to install local IPA file. It also claimed the necessary private entitlement key “com.apple.private.mobileinstall.allowedSPI” which should only be used by system apps in iOS (Figure 18). Again, through enterprise distribution, YiSpecter successfully bypassed the App Store’s code review process that typically would prevent an app from using these private APIs.
Note that NoIcon, ADPage, and NoIconUpdate are signed with same enterprise certificate. Since user has accepted the provisioning profile when installing NoIcon, ADPage and NoIconUpdate can be installed in this way without any user notification.
Figure 17. NoIcon downloads ADPage's IPA file and installs it
Figure 18. NoIcon has private entitlement for app installation
Uninstalling Existing Apps
NoIcon has another functionality called “fakeApps”. If it receives this command from the C2 server, it will uninstall the iOS app specified in the commands from current device (Figure 19). Then, it will install another downloaded app as a fake version to trick the user. This uninstallation operation is also implemented using a private API -- the MobileInstallationUninstall defined in the MobileInstallation framework.
Figure 19. NoIcon uninstall specified app in fakeApps command
Self Monitoring and Updating
The NoIconUpdate will regularly check whether all these malicious components are installed, then connect with YiSpecter’s C2 server to check for updates. This is why some victims deleted the main app and NoIcon but the malware still remained on the phone.
Figure 20. NoIconUpdate checks installed components' version
Additionally, NoIconUpdate will regularly check whether NoIcon is running. If not, it will launch NoIcon immediately.
Figure 21. NoIconUpdate checks running status and launches NoIcon
Hiding Icon in SpringBoard
NoIcon, ADPage and NoIconUpdate use a trick to hide their icons from SpringBoard (the desktop in iOS.) In their Info.plist file, the “SBAppTags” key contains a value of “hidden” (Figure 22). Any app with this characteristic will not be shown in SpringBoard, hence the user won’t see its icon and its name. This mechanism is used by some preinstalled apps for testing and diagnostics on the iOS system. In February 2015, an iOS Spyware XAgent (aka PawnStorm) also used this trick.
Figure 22. Part of NoIcon's Info.plist file
This icon hiding behavior is critical to YiSpecter’s success. Without being able to see the icon, users not only can’t discover these malicious apps, but also have no way to uninstall them (because uninstalling an iOS app requires the user to long click the app’s icon in SpringBoard). This behavior is likely why YiSpecter’s named the component “NoIcon.”
Pretending to be System Apps
Even though icons are hidden from the SpringBoard, YiSpecter’s author still has considered power users who may use third-party tools to manage iPhones or iPads. The author used special display app names and logos for these three apps to make them look like iOS system apps. The table below shows the display name and icon of three samples we analyzed. As far as we know, YiSpecter has pretended to be the Phone, Weather, Game Center, Passbook, Notes and Cydia apps. While this is a simple trick, it may be effective at fooling some users.
|Displayed App Name
|Faked App Logo
Hijacking Other Apps Execution to Show Ads
NoIcon will also regularly check which iOS app the user has open. This is implemented by using the private API function SBSCopyFrontmostApplicationDisplayIdentifier defined in the SpringBoardServices framework. NoIcon receives an allowlist of apps from C2 server and checks if the currently running app is on this list, which contains YiSpecter’s components and apps built by Apple. If the app isn’t in the list, NoIcon will launch the ADPage app by executing another private API function: SBSLaunchApplicationWithIdentifier.
Figure 23. NoIcon compares current running app with allowlist
Figure 24. NoIcon launch ADPage to cover other apps user interface
The launched ADPage will show a full screen with words “Cydia is detecting and protecting” in Chinese (Figure 25), then display some advertisements provided by third-party mobile ads platforms. Through this mechanism NoIcon and ADPage successfully hijacked other iOS apps’ execution and show its advertisements to victims. This is the most significant behavior reported by victims, as it is disruptive to their regular use of iOS devices.
Figure 25. ADPage's full screen before displaying advertisement
Changing Safari Configurations
Another feature of NoIcon allows it to change Safari browser’s configurations on jailbroken devices by directly writing to local configuration and database files.
If NoIcon receives a specific command from the C2 server, it will enumerate all subdirectories in the “/var/mobile/Applications” directory to find a “Preferences/com.apple.mobilesafari.plist” file. Thus, it can identify the Safari app’s home directory. It then modifies this plist file to change Safari’s default search engine to a specified one between Google, Bing, Yahoo and Baidu (Figure 26). However, in a nearby piece of code, we found that Baidu was specifically hard coded as target search engine in some situations (Figure 27).
Figure 26. NoIcon locates Safari's config file and change default search engine
Figure 27. NoIconHard-coded to change default search engine to Baidu
Additionally, NoIcon changes Safari’s bookmarks database to update all existing bookmark URLs to the URL that specified by C2 server. It will also write Safari’s SuspendStates.plist file to change all latest opened webpages’ URLs to the specified URL.
Note that all these behaviors also occurred according to victims’ reports posted in online forums.
Figure 28. Change URLs in all existing bookmarks
Figure 29. Change URLs in latest opened pages
Collecting and Uploading Device Information
All of the malicious YiSpecter apps collect some device information and upload it to the C2 server, including:
- A los of installed iOS apps; by invoking the private API MobileInstallationLookup;
- A list of running processes by invoking sysctl;
- The device UUID;
- The device MAC address, by invoking sysctl.
Who’s Behind YiSpecter?
There is a lot of evidences that suggests YiSpecter was developed by a company named “YingMob Interaction (微赢互动)”. For example, three of four components are signed by YingMob Interaction’s enterprise certificate. In the NoIconUpdate’s code, we even found a README.md which names the company in the app’s release notes. YiSpecter’s C2 server has hosted some websites belonging to YingMob. For example, if we directly visit the subdomain for YiSpecter’s downloading, qvod.bb800[.]com, we can find it’s an “WAP iOS Traffic Platform Backend Management System” with copyright information of YingMob Interaction.
Figure 30. README.md in the NoIconUpdate
Figure 31. YiSpecter's C2 server page has YingMob Interaction's copyright info
Figure 32. YingMob Interaction official website
YingMob Interaction’s official website shows it’s a Chinese mobile advertisement platform. In addition to YiSpecter we found the company also developed an iOS “helper” tool named “HaoYi Apple Helper(好易苹果助手)”. The tool was later renamed to “Fengniao Helper(蜂鸟助手)”. The tool’s website is http://zs.haoyi.com/ but there’s another subdomain http://zs.od.bb800.com in YiSpecter’s C2 domain that is redirected to zs.haoyi.com. The helper tool says it can help users install all paid iOS apps in the App Store without jailbreaking, and it will give Apple IDs to users as presents to avoid registration in Apple. These functionalities are similar to what the iOS Trojan KeyRaider did earlier this year. Based on victims’ discussions, we found that YiSpecter will frequently ask users to install this helper tool.
Figure 33. Fengniao Helper developed by YingMob Interaction
Relationship between YiSpecter and XcodeGhost
In September 2015, we initially investigated an OS X and iOS malware named XcodeGhost. By infecting Xcode, this compiler malware was successfully compiled into thousands of iOS apps in the App Store and affected hundred of millions users.
While YiSpecter and XcodeGhost both attacked non-jailbroken iOS devices, they are not related to each other. We believe that YiSpecter and XcodeGhost were developed by different attackers and there is no evidence of cooperation between the two developers so far.
However, from technical perspective, it’s still interesting to discuss potential connections between them.
First, we explained that XcodeGhost could be remotely controlled by attackers to open arbitrary URLs, including opening a URL to ask a user to install any app signed by enterprise certificate. Hence, XcodeGhost could be another way to distribute malware like YiSpecter. In fact, not only XcodeGhost but also other legitimate iOS apps in the App Store can also do this.
Second, we explained that XcodeGhost collects system and app information and uploads it to its C2 server. People may be curious why the malware collects this data for. YiSpecter also exhibits this behavior but it also silently installs additional apps, which XcodeGhost does not.
In the underground ecosystem, when someone distributes apps for a fee they typically need some evidence to prove they were successful. For example, after YiSpecter silently installs other apps or games, the attacker could provide related devices and app information to paying developers in order to collect his or her fee. Given that XcodeGhost didn’t install other apps but uploaded that information by default, we suspect that XcodeGhost may have been scamming other underground distributors by collecting the evidence of installation but not actually performing it.
Security Risks and Related Threats
The world where only jailbroken iOS devices were threatened by malware is a thing of the past. WireLurker proved that non-jailbroken iOS devices can also be infected through abuse of the enterprise distribution mechanism. YiSpecter further shows us that this technique is being used to infect many iOS devices in the wild.
The key techniques deployed in YiSpecter are bypassing App Store reviews using enterprise distribution and abusing iOS private APIs to perform sensitive operations. This method has been discussed in some top academic conference papers in recent years (e.g., Tielei Wang et al in USENIX Security 2013, Min Zheng et al in AsiaCCS 2015, and Zhui Deng et al in CCS 2015.) However, YiSpecter is the first iOS malware in the wild that adopted this technique to launch a wide range attacks. This attack vector breaks Apple’s security mechanisms and is likely to be abused in future attacks.
For years Apple has searched for privates APIs used in apps submitted to the App Store and rejected the apps found using them. However, except for enterprise distribution, there’re still some ways to bypass this security check.
In the Objective-C language, invoking a method of an Objective-C object is not implemented through a virtual table as in C++. Objective-C uses a central message forwarding mechanism to handle method invoking where class name and method name are passed as string format parameters. Hence, a malware author can directly invoke the message forwarding functions such as objc_msgSend with obfuscated or encrypted class name and method name strings to use private APIs. Apple’s code review is not strong enough hence apps using private APIs in this way will bypass their review and go to the App Store.
In fact, in one academic paper “iRiS: Vetting Private API Abuse in iOS Applications” in the coming ACM Conference on Computer and Communications Security (CCS 2015), researchers Zhui Deng et al from Purdue University successfully discovered 146 iOS apps from the App Store that abused 150 different private APIs including 25 APIs that are security critical. These occupied about 7 percent of all apps they analyzed. Note that they even found a third-party advertisement library that abused private APIs to collect private user information.
This observation is significant, because as a community, many of us have considered Apple’s code review on private APIs good enough and that abusing private APIs can only be successful if combined with enterprise distribution (like in the case of the YiSpecter.) Though this research, we now know that abusing private APIs in the iOS system could be an independent attack technique and could affect all iOS users.
Prevention and Removal of YiSpecter
Palo Alto Networks has released IPS signatures (14861,14862,14863) via our Threat Prevention product to detect and block all malicious C2 traffic related to YiSpecter. We have also released signatures to detect the queries for the C2 domains used by the malware.
We have also reported the YiSpecter threat to Apple for them to revoke the abused enterprise certificates. (As noted above, the new iOS 9 requires users to manually set related provisioning profile as trusted in Settings before they can install Enterprise provisioned apps. This new feature is also helpful for preventing some security incidents caused by abusing enterprise certificates.)
For iOS users that are potentially infected by YiSpecter, we suggest removing it with the following steps:
- In iOS, go to Settings -> General -> Profiles to remove all unknown or untrusted profiles;
- If there’s any installed apps named “情涩播放器”, “快播私密版” or “快播0”, delete them;
- Use any third-party iOS management tool (e.g., iFunBox, though note that Apple’s iTunes doesn’t work in this step) on Windows or Mac OS X, to connect with your iPhone or iPad;
- In the management tool, check all installed iOS apps; if there’re some apps have name like Phone, Weather, Game Center, Passbook, Notes, or Cydia, delete them. (Note that this step won’t affect original system apps but just delete faked malware.)
Our primary security suggestion to avoid being affected by this kind iOS malware was, is and remains this: never download iOS apps from any untrusted sources, and never trust unknown developers. You should always download iOS apps from the official App Store for personal use, or download your company or organization’s internal app under your IT department’s guidance. Consider that even apps from the App Store can also abuse private APIs for harmful operations, and that these security habits won’t prevent all similar attacks but should prevent most of them. We have also made suggestions to Apple for improving their code review procedures and urged them to improve iOS security mechanisms to defeat these potential security problems.
Samples of YiSpecter
Samples in VirusTotal
Samples of Worm.Win32.Lingdun
Thanks CDSQ from WeipTech group for providing some samples of YiSpecter from an infected iPhone.
Thanks Josh Grunzweig and Bryan Lee from Palo Alto Networks for their suggestions on naming. (Finding a proper name is always so hard!)
Thanks Rongbo Shao and Zhaoyan Xu from Palo Alto Networks for their efforts in detecting the threat.
Thanks Ryan Olson from Palo Alto Networks for reviewing and revising this report.