The YiSpecter malicious activity: Thank you China…again

And there we go again, a new threat for iOS users, right now in China only, but with possible spreading IF security doesn’t get upgraded in the system as well as in the application code reviewing of AppStore (which very soon probably will).

iOS devices homescreen

Anyway, the new abuse has a name too: YiSpecter. And, wonder wonder, again to thank the chinese genius minds for as we can read on the page of the Palo Alto researchers together with all the details of its nature, working, spreading, and how extremely refined the way is of possible attacks!

By the way, this goes for jailbroken as for NON-jailbroken iOS devices alike!

Do they have any advice for you, as for cure and prevention? Certainly, as they state:

Prevention and Removal of YiSpecter
  Palo Alto Networks has released IPS signatures (14861,14862,14863) via our Threat Prevention product to detect and block all malicious C2 traffic related to YiSpecter. We have also released signatures to detect the queries for the C2 domains used by the malware.
  We have also reported the YiSpecter threat to Apple for them to revoke the abused enterprise certificates. (As noted above, the new iOS 9 requires users to manually set related provisioning profile as trusted in Settings before they can install Enterprise provisioned apps. This new feature is also helpful for preventing some security incidents caused by abusing enterprise certificates.)
For iOS users that are potentially infected by YiSpecter, we suggest removing it with the following steps:
In iOS, go to Settings -> General -> Profiles to remove all unknown or untrusted profiles;
If there’s any installed apps named “情涩播放器”, “快播私密版” or “快播0”, delete them;
Use any third-party iOS management tool (e.g., iFunBox, though note that Apple’s iTunes doesn’t work in this step) on Windows or Mac OS X, to connect with your iPhone or iPad;
In the management tool, check all installed iOS apps; if there’re some apps have name like Phone, Weather, Game Center, Passbook, Notes, or Cydia, delete them. (Note that this step won’t affect original system apps but just delete faked malware.)
  Our primary security suggestion to avoid being affected by this kind iOS malware was, is and remains this: never download iOS apps from any untrusted sources, and never trust unknown developers. You should always download iOS apps from the official App Store for personal use, or download your company or organization’s internal app under your IT department’s guidance. Consider that even apps from the App Store can also abuse private APIs for harmful operations, and that these security habits won’t prevent all similar attacks but should prevent most of them. We have also made suggestions to Apple for improving their code review procedures and urged them to improve iOS security mechanisms to defeat these potential security problems.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s