James said the malware was worse that WireLurker as it combines more techniques for infecting your iPhone, thus enabling a much wider range of targets. “It spreads via unusual means, including the hijacking of traffic from nationwide ISPs, an SNS worm on Windows, and an offline app installation and community promotion”, the firm wrote on its website. Spreading tactics have evolved towards greater sophistication and diversity. Despite the unique nature of both malware, however, Palo Alto Networks says there is no evidence that XcodeGhost and YiSpecter are related.
The malware consists of four components, each one signed with an enterprise certificate.
Whether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed.
You can also manually sync your contacts by plugging your phone into your computer, then opening iTunes and finding your device.
Ryan Olson, Palo Alto Networks’ director of threat intelligence, told The Wall Street Journal that the culprit seems to be a China-based mobile advertisement service and that Apple had been notified of this new threat.
Now, we’re given news of more malware, but fortunately for those outside of Asia, it looks like there’s no reason for concern.
YiSpecter affects regular and jailbroken iPhones and iPads, which makes it somewhat interesting, as does its exploitation of private APIs in the iOS system.
Result: Infected iOS devices, including those that had not been jailbroken, historically the route to most iOS infections, especially in the PRC and elsewhere in Asia.
In addition, the malware uses private application programming interfaces (API), or frameworks used internally by companies, to spoof the operating system. However, if you’re concerned and your device is compatible, it is advisable to update to iOS 9 immediately.
Apple has been notified about the malware, and Palo Alto Networks has released IPS and DNS signatures that block YiSpecter’s network traffic. Olson said Apple prevents third-party apps from using private APIs because they can be used to perform actions outside of Apple’s policies.
The feature was supposed to go out with iOS 9 last month but Apple discovered a bug that restored the wrong variant of an app for users migrating from an older device to a newer one. “We believe that YiSpecter and XcodeGhost were developed by different attackers and there is no evidence of cooperation between the two developers so far”.
What do you think of this iOS malware? By tampering with APIs, YiSpecter can hide 3 out of 4 components of its structure from iOS SpringBoard, the app that runs the home-screen on iOS devices, and disguise itself with names and logos of other legitimate iOS apps, thereby escaping detection.