iOS malware YiSpecter: iPhones menaced by software nasty The first iOS malware capable of attacking both non-jailbroken and jailbroken devices has surfaced online. The mobile malware nasty YiSpecter hooks into private APIs in iOS 8 to perform malicious actions, and has been in the wild for at least 10 months, mostly in China and Taiwan, since November 2014 if not earlier. YiSpecter …
This new Apple problem feels like some sort of sci-fi horror story where the upper echelon live in a heavily guarded 'bubble' where they can travel and do things completely free of any outside force doing bad things to them - until a monster breaks in and wreaks havoc because all the guards are on the outside.
It's all gone to crap ever since Macs went over to x86. If only they'd stayed on POWER PC, they'd have been safer.
...largely, at least. From the Paloalto Networks story:
"Note that, in Apple’s just-released iOS 9, enterprise certificate security has been improved. Users now must manually set a related provisioning profile as “trusted” in Settings before they can install Enterprise provisioned apps."
The majority of iOS devices are already upgraded to 9.
(Any device can get malware on it if the software between the users ears isn't up to the job, of course)
"The majority of iOS devices are already upgraded to 9."
Well, not quite. Apple may have claimed >50% uptake, however that is only for iOS9 capable devices. There are hundreds of millions of devices out there for which Apple have not released a version of iOS9. (<=iPhone4, iPod Touch4, iPad1)
This is good know - after the first story about malware using enterprise certificates I was thinking they needed to tighten up the protections on that since a certain group of people will just click "OK" if they're told to.
I suppose even with this fix there are some who will follow instructions to go into settings and mark a particular profile as trusted if told to, but at some point it is no longer possible to protect people from themselves! You can have all the security policies in the world, but if someone is able to phone up the CEO's secretary claiming to be from IT and ask for his email password then they don't mean much.
I wonder if Apple has the ability to revoke enterprise certificates? It isn't clear whether someone is using a legitimate corporation's enterprise certificate or obtaining one from Apple only to distribute malware. If its the latter revoking it would be no problem, if it is the former it could potentially cause a lot of problems for the enterprise - but maybe that would encourage enterprises to be guard them more closely.
If nothing else, the constant stream of updates to iOS would handicap them, as even if they have an exploitable hole that they can use to install malware on your iPhone, it is likely to be erased when you upgrade iOS. Once they get it on an Android phone, it is more likely to live there forever as they might get an update or two when the phone is still new, but once you have your last update if they get malware on there it is probably there for the life of your phone.
It's a lot of screeching and very few actual problems.
1 - notice that the ENTIRE blog is about events in China & Taiwan, not here. But let's assume someone will use that code, well then ..
2 - .. Apple's security model has not actually been breached - this uses the Enterprise application install which means you must install the profile for this first. Despite all the effort to make it sound like a drive-by infection, it is certainly not as it requires the user to accept the installation of a certificate, something that's even harder to do in iOS9. Naturally, that was buried deep down in the article or the sensationalism would not work:
There is one disadvantage to using this method for installation compared to the official App Store: when these apps are executed for the first time iOS displays a dialog to notify the user that the apps are from a specific developer (Figure 13). However, many iOS users may simple click “Continue” and not be aware of the security implications of their choice.
It's worth keeping up with updates: Note that, in Apple’s just-released iOS 9, enterprise certificate security has been improved. Users now must manually set a related provisioning profile as “trusted” in Settings before they can install Enterprise provisioned apps.
So, is the sky falling? Nope. Are there infected Apps in the App store? Well, no, they are provided from elsewhere. The only thing an iOS user could wish for for extra security is a way to simply block the installation of Enterprise certs, but about the only proper takeaway from this story is that you have to be very wary in China and Taiwan of your connections, and not say "yes" to any strange popup. The latter is something you ought to know already...
Also worth adding that this gets on the iDevice by "third party app stores" which abuse enterprise certificates and sideload via USB. So, yes, YiSpecter bypasses App Store reviews by bypassing the App Store.
I imagine quite a few iPhones are safe. Practically all of them outside those countries where people routinely use dodgy app stores.
Have to love Apple loyalty.
Recent events have shown that well organised individuals / criminal gangs / foreign governments are actively targetting iOS devices, with varying degrees of success, and using different attack vectors. This latest attack has, apparently, been in the wild for months without detection, and the recent Xcode shambles resulted in thousands of malware-ridden apps cruising past Apple's legendary App Store police without detection, relying on a developer to notice something strange with an app they were developing.
Still, it's all OK. It's in China, it's easily fixed in iOS 9.x, Apple will release a fix really quick, much quicker than Google ever could.
Nothing like relying on a quick cure than worrying about the cause, eh?
Wake up, Apple is a target and is being breached. These recent attacks are ones that have been identified, how many more are there? Can you really be sure that the apps you get from the App Store are safe? If it takes 10 months to find an attack, how much info could have been stolen in that time?
"Wake up, Apple is a target and is being breached."
Have an upvote for sanity, to balance out the hundreds of downvotes you'll get for implying Apple aren't perfect.
Apple's approach to security assumes they're smarter than the enemy. That's exactly not how security professionals are taught. Always presume there's someone brighter than you who can crack anything you build.
This post has been deleted by its author
the recent Xcode shambles resulted in thousands of malware-ridden apps cruising past Apple's legendary App Store police without detection, relying on a developer to notice something strange with an app they were developing.
I think that did unearth a pretty serious problem with the App Store security: it didn't pick up that apps were compiled with an Xcode that was altered. Admittedly, I have no idea how they would have picked his up, and I hope they find a way, but to me it suggests that some of this checking relies on dangerous or at least flawed assumptions. That needs looking into IMHO - I doubt it'll be the last time that someone starts with questionable fundamentals, and that may not be by accident either.
@ "Have to love Apple loyalty."
There is truly no telling some people.
Present the facts and they'll ignore them, twist them, add some bollocks and regurgitate nonsense, then people will upvote the comment even though it's built in nonsense.
The exploit involves the user deliberately accepting enterprise certificates to then install dodgy software from dodgy sources. It's not like apple software hasn't got safeguards to make it awkward for users to install malware laden apps from non Apple stores.
Oh give over. I've been listening to people like you making dire warnings about Apple "becoming" a target for many years now. You know what? Apple has always been a target. Certainly since the first iPhone launched, they've had a significant user base which is extremely attractive to the malware vendors. The question is not whether they are being targeted but how many of these attacks are actually effective or on target, and the truth you need to accept is precious few.
Like it or not, this "attack" is just another case of Apple's defences working perfectly, for the vast majority of users. As soon as you read between the shouty headlines and smug panic mongering, the truth of the matter is quite apparent - unless you deliberately and knowingly chose to install software from outside the App Store, your phone is perfectly safe. Nothing has been bypassed here, there is no exploit, no weakness in iOS, the only problem is users being tricked into doing something stupid. The only possible "fix" for that, making it harder for them to do that stupid thing, has already been enacted in iOS 9 - an update which, in stark contrast to other mobile platforms, has already been pushed directly to those same users.
But it's ok, you keep on bleating about every tabloid headline you read, ignore the crucial facts in these stories, and then call the other guys sheep...
You know what? Apple has always been a target. Certainly since the first iPhone launched, they've had a significant user base which is extremely attractive to the malware vendors.
Couldn't have said it better myself. The very fact that the kit is expensive is a self-select for criminals because it means there is money to be had, and the volume is big enough to make it worth it. I suspect Apple knows this too - getting it relatively safe is quite an investment to make.
one has to look elsewhere to find an official response...
"This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources. We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps."
Apple announced yesterday that all versions of iOS since the update to iOS 8.4 which was released on June 30, 2015 are immune to YiSpecter. The immune versions include all devices with iOS 8.4.1, iOS 9, 9.0.1, and iOS 9.0.2 installed. . . so if you are a user with those iOS versions installed, there is nothing to worry about.
To get infected you have to be using an iPhone or iPad using a version of iOS 8.3 or older and then download an app from a NON-Authorized source (an un-authorized App Store or website), ignoring the warnings, and allow it to install. These are basically side-loaded using Enterprise Business Certificated apps which were intended to allow businesses to install and update their private proprietary apps on employees' devices.
This is something that has been a practice and a problem in China for a number of years and has fostered a number of third-party unauthorized app stores selling un-authorized apps, mostly to jailbroken iPhones using borrowed or stolen Enterprise certificates. Last year almost 65% of the apps on these stores had some kind of malware associated with them. . . These side-load stores were also the source of the over 4000 XcodeGhost apps that were falsely attributed to being in the Chinese Apple Store when there were actually fewer than fifty.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
