The malicious YiSpecter code is able to infect jailbroken and non-jailbroken iPhones, and it's being distributed through the iTunes App Store.

Eric Zeman, Contributor

October 5, 2015

3 Min Read
<p align="left">(Image: Palo Alto Networks)</p>

iPhone 6s Plus Hands-On: 10 Best Features

iPhone 6s Plus Hands-On: 10 Best Features

iPhone 6s Plus Hands-On: 10 Best Features (Click image for larger view and slideshow.)

A new piece of malware, called YiSpecter, is using Apple's private APIs to invade the iPhone. Worse, the malware is working its way through the iTunes App Store and infecting non-jailbroken phones in China.

Jailbroken iPhones have long posed a security risk to end-users. Jailbroken devices allow people to add apps via sources other than the iTunes App Store. This is generally viewed as the easiest way to end up with a compromised device. Non-jailbroken iPhones have so far remained practically impervious to malware. YiSpecter is changing that perception.

Researchers at Palo Alto Networks have discovered about 100 apps in the iTunes App Store that are abusing Apple's private APIs in order to circumvent the store's security tools. Private APIs are those used only by Apple itself. They are not available to app developers.

The use of the APIs is allowing whoever wrote YiSpecter to infect phones through the App Store in China -- something previously thought impossible.

"What that means is the attacking technique of abusing private APIs can also be used separately and can affect all normal iOS users who only download apps from the App Store," Claud Xiao, one of the researchers at Palo Alto Networks, wrote in an Oct. 4 report.

What kind of damage can YiSpecter inflict? The kind to give IT admins nightmares.

Once YiSpecter makes its way onto an iPhone, it assumes control over a number of significant behaviors. For example, it can download, install, and open applications; replace on-board apps with the unwanted downloads; and force apps to show advertisements.

YiSpecter impacts Safari, too.

The malware can alter the default search engine, reset bookmarks, and even send handset data to remote servers. Resetting doesn't resolve the issue, according to Palo Alto Networks.

"Some non-jailbroken iPhone users tried to clear cookies, reset iOS, change their iCloud accounts, and block pop-ups in Safari, but these operations didn't resolve the problem," explained Xiao. "However, if they used a third-party mobile browser with built-in proxy functionality to access the same web page, the advertisements disappeared. One user even called his ISP's service phone number to complain and the problem was resolved -- these advertisements never appeared again."

This led Xiao and his team to believe that the ISPs might be playing a role in YiSpecter's spread. That's a chilling thought.

[Read more about iPhone security.]

Perhaps the worst part: YiSpecter has been around since November 2014. Some analysts, however, say not to worry.

"This does not signal the collapse of Apple's iOS security model," wrote Trey Ford, global security strategist at Rapid7. "Consumers and enterprises should be aware that Apple has already included additional controls to make this kind of attack even harder in iOS 9 updates. Apple's iOS walled garden is still a holy grail for attackers, so every incident involving non-jailbroken iOS devices will likely be considered newsworthy."

So far the malware is limited to mainland China and Taiwan. If you're using an iPhone outside of those regions, you've likely nothing to worry about. As always, don't jailbreak your iPhone and only download apps from the App Store.

Apple hasn't publicly commented on the matter.

About the Author(s)

Eric Zeman


Eric is a freelance writer for InformationWeek specializing in mobile technologies.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights