Researchers warned that the November unveiling of the WireLurker malware targeting Apple platforms could turn out to be a blueprint for Mac and iOS malware writers. While WireLurker was quickly squashed and proved to be fairly benign, its authors demonstrated how the abuse of Apple-issued enterprise developer certificates was an effective means of getting malicious code onto non-jailbroken iPhones and iPads.
Another threat called YiSpecter has apparently followed WireLurker’s lead and combined the use of certs issued under Apple’s iOS Developer Enterprise Program with the abuse of private APIs to move adware onto non-jailbroken iOS devices, primarily in China and Taiwan.
Claud Xiao, a researcher at Palo Alto Networks, yesterday published a report on the malware, which apparently has been in the wild for 10 months and has poor detection rates on security services such as VirusTotal.
Similarly to WireLurker, YiSpecter opens a backdoor to a set of command and control servers and sends back device data and has the ability to install and launch new Trojanized apps—some that survive deletion—hijack other apps in order to display ads, change default search setting on Safari, change bookmarks and open webpages in the mobile browser. It’s job is largely to spread pornographic adware.
Unlike WireLurker, which spread from infected Macbooks to iOS devices, YiSpecter spreads in a handful of ways, benefiting largely from the legitimacy of the certificates, one of which has already been revoked by Apple.
“We think they’re all legitimate,” said Palo Alto director of researcher Ryan Olson. The certificates cost $299 and are available only to vetted and verified businesses wishing to develop enterprise apps for iOS. “These are intended for internal distribution. Distributing apps in this way is not what Apple intended, and why they’re revoking them.”
Academic research had been done prior to WireLurker that demonstrated the potential for abuse around these certs, and Olson said he expected to see some attacks try to mimic this approach. The increased attention on the issue, in particular on the heels of WireLurker, caused Apple to respond in the recently released iOS 9 with a feature that forces users wishing to run a signed app to go through a couple of extra hoops. The developer, for example, must be trusted in the device settings in order to for the signed app to run.
“You don’t just click ‘OK.’ You have to dig into the settings if you want to trust the developer. This is the type of feature that prevents this type of attack from being successful,” Olson said. “Apple has made some good improvements; once iOS 9 rolls out, it will be broadly effective against this.”
The use of private APIs to install malicious apps is also worrisome in that it can be used to carry out a number of sensitive operations, Palo Alto’s Xiao wrote, that are blind to Apple’s enterprise distribution mechanism. YiSpecter is made up of four components, all of which are signed.
“By abusing private APIs, these components download and install each other from a command and control (C2) server,” Xiao wrote. “Three of the malicious components use tricks to hide their icons from iOS’s SpringBoard, which prevents the user from finding and deleting them. The components also use the same name and logos of system apps to trick iOS power users.”
YiSpecter is not an App Store threat. It moves over a number of distinct channels posing as an alternative to the popular QVOD media player used to exchange and view pornography in China. Once QVOD was shut down by law enforcement in April, the attackers behind YiSpecter targeted those users with the malware.
YiSpecter’s most interesting propagation method is its abuse of a practice carried out by local ISPs who inject JavaScript and HTML advertising into traffic. Some of the ads on major news sites, for example, promoted QVOD downloads that were in fact YiSpecter.
“The ISPs played a role in it, but they probably thought it would just be displaying ads,” Olson said.
YiSpecter was also spread via the Lingdun worm, malware that uses phony VeriSign and Symantec certs to bypass detection systems. Lingdun is a Windows threat and is used primarily to push software onto Windows PCs. A number of underground app distribution sites and posts to social networks were also pushing YiSpecter, Palo Alto said.
YiSpecter is the latest in a noteworthy run of attacks against the various Apple platforms, starting with XcodeGhost and last week’s publicly disclosed bypass of Gatekeeper on OS X.