YiSpecter- Latest Malware Hits iOS Devices

YiSpecter malware infects iOS devices by exploiting private APIs — Reports suggest, Chinese and Taiwanese users of iOS devices have been affected the most.

According to a research report from a cybersecurity firm Palo Alto, YiSpecter uninstalls apps that it doesn’t deem necessary as soon as it gets installed on the Apple iOS device.


1. The malware replaces genuine apps with fake ones that it downloads itself.

2. YiSpecter is an extremely powerful malware that forces the apps to display adverts in full-screen

3. This malware also changes default search engines in Safari and modifies bookmarks too.

4. It can transmit critical user data and information to its server.

5. When the user deletes this app from the iOS device, this powerful malware automatically re-installs itself.

Analysis of Palo Alto:

Palo Alto research team states that this one is an unusual malware that mainly attacks iOS devices in China and Taiwan.

It manages to target iOS devices by abusing private APIs and getting the four components that it comprises of to get downloaded and installed on the device.

The four components of YiSpecter appear genuine and legitimate because these are signed with enterprise certificates.

The malware’s components are downloaded and installed from a centralized server.

Palo Alto’s security researcher Claud Xiao states that through exploiting enterprise certificates and private APIs, the malware gets to infect a large number of iOS devices and “pushes the line barrier of iOS security back another step.”

It is possible that three out of the four components of YiSpecterhide their icons using iOS SpringBoard.

SpringBoard is the standard app that is responsible for running the home screen of iOS device.  

These components can even disguise to escape detection by users by altering their logos and names.

As per information revealed by Palo Alto Networks, this malware has been continually targeting and infecting iOSdevices since January 2015.

However, research reveals that just one out of the 57 security vendors of the free scanning website VirusTotal could detect it.

How YiSpecter Became So Widespread?

Initially, the malware got distributed by disguising itself as an app that lets users view porn for free. 

After some time, it started infecting iOS devices by hijacking traffic from ISPs (internet service providers).

It also compromised devices using a Windows Worm that initially attacked Tencent’s IM service called QQ and online communities that allow installation of third-party apps in a return of promotion fees from developers.

Image Credit: PaloaltoNetworks
Image Credit: PaloaltoNetworks

Last month, Apple was targeted with yet another critical malware known as XcodeGhost infecting 40+ of the most popular apps in the Chinese app store. The XcodeGhost has been removed, but at the moment is unclear if it is related with the newly identified YiSpecter.

Update:

TechCrunch reports that Apple has acknowledged the presence of Yispecter malware in iOS store and the solution to avoid this malware according to the firm is that users should update their devices to latest iOS 9 version.

Ryan De Souza

Ryan is a London-based member of the HackRead’s Editorial team. A graduate of Maths and physics with a passion for geopolitics and human rights. Ryan places integrity at the pinnacle of successful journalism and believes this is somewhat lacking in traditional media. Ryan is an educator who balances his time between family, social activism and humanitarian causes and his vice is Football and cars.