Security Experts:

iOS Malware Abuses Private APIs for Malicious Functionality

A piece of Apple iOS malware dubbed by researchers “YiSpecter” has been abusing private APIs and enterprise certificates to infect both jailbroken and non-jailbroken devices.

The threat, analyzed in detail by researchers at Palo Alto Networks, has been spreading in the wild since at least November 2014 via a worm, Internet traffic hijacking, underground app distribution websites, and online forums and social networks. Experts say YiSpecter has mainly affected iOS users in China and Taiwan.

Once it infects a device, YiSpecter can download, install and execute arbitrary iOS apps, replace existing applications, hijack the execution of apps to display ads, collect device information and upload it to a command and control (C&C) server, and change configuration in Safari (e.g. default search engine, bookmarks, opened pages).

The threat was first analyzed by China-based security firms Qihoo360 and Cheetah Mobile in February 2015, but Palo Alto Networks says these companies have failed to conduct a complete analysis, which may have led to an “incorrect conclusion.”

Qihoo360 and Cheetah have analyzed a Windows-based worm dubbed “Lingdun,” which distributes iOS and Android adware and other apps. Palo Alto says the Chinese companies incorrectly classified these apps as variants of Lingdun, when in reality they are components of YiSpecter, which has been created by different developers.

Palo Alto’s investigation revealed that YiSpecter has four components. The first component is represented by at least a couple of “main apps” that are distributed via the Lingdun worm, hijacking traffic at ISP level, and by posting them on forums and social media websites. The apps are disguised as a popular media player called QVOD, and various programs allegedly designed for accessing free adult content.

Once these apps make their way onto a device, they download and install YiSpecter’s main malicious component dubbed by researchers “NoIcon.” NoIcon is capable of harvesting device information, executing remote commands, changing the configuration in Safari, and installing the two other components of the malware, namely ADPage and NoIconUpdate.

ADPage is the component responsible for displaying ads when users execute legitimate apps. It does this with the aid of NoIcon, which monitors installed applications and hijacks their launch routine. NoIconUpdate is designed to check for the existence of other components and malware updates, connect to the C&C server, and send back status information.

What makes the NoIcon component interesting is the fact that it uses private APIs from iOS’s MobileInstallation framework to install ADPage and NoIconUpdate. Furthermore, NoIcon abuses these private APIs to uninstall existing apps before replacing them with rogue versions. Experts believe YiSpecter is the first piece of malware discovered in the wild to abuse private APIs.

The YiSpecter apps and components can be installed on non-jailbroken devices because they are signed with iOS enterprise certificates. The apps have been signed with certificates from “Changzhou Wangyi Information Technology” and “Baiwochuangxiang Technology” while the components have been signed with a certificate issued for “Beijing Yingmob Interaction Technology.”

Since the malicious components are signed with iOS enterprise certificates, they can be delivered directly thanks to Apple’s Developer Enterprise Program, which allows organizations to easily distribute private iOS apps internally. This technique allows the attackers to abuse private APIs and install the malicious components without victims seeing any notifications. The only warning sign is a prompt displayed when the apps are first executed, which informs the user that the application is from a specific developer. However, experts believe users often click “Continue” without giving it too much thought.

Another interesting aspect about YiSpecter’s components is the fact that they set the value of the “SBAppTags” key in their info.plist file to “hidden,” which ensures that they are not visible to users on the SpringBoard. Furthermore, even if power users detect the components using third-party tools, they might not suspect the presence of malware since the apps are disguised to look like iOS system applications.

Experts have also pointed out that if the malware is deleted manually, it will automatically reappear. Palo Alto Networks has provided step-by-step instructions for removing the threat from infected devices.

The company noted in a blog post published on Sunday that it has identified 23 YiSpecter samples (main apps) submitted to VirusTotal between November 2014 and August 2015. VirusTotal shows that only Qihoo360 detects the files as being malicious.

As far as attribution is concerned, researchers say the evidence points to YingMob Interaction, a Chinese mobile advertisement platform that owns the enterprise certificates used to sign YiSpecter components. Moreover, experts found that the C&C server used by the malware has hosted some sites belonging to this company, and a file associated with the NoIconUpdate component references YingMob. The Chinese firm could not immediately be reached for comment.

Related Reading: New "WireLurker" Malware Targets iOS, Mac OS X Users via Trojanized Applications

Related Reading: XcodeGhost Compiler Malware Targets iOS, OS X Systems

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.