For almost a year, Chinese hackers have leveraged a novel one-two punch to compromise iOS devices, including non-jailbroken iPhones, then seed them with adware, a security company said today.
The malware, dubbed "YiSpecter," was written in China by Chinese hackers, and what screen text was displayed was in Chinese, said Ryan Olson, director of the Unit 42 threat intelligence unit at Santa Clara, Calif.-based Palo Alto Networks, in an interview. The malware was distributed almost exclusively in the People's Republic of China (PRC) and Taiwan.
Palo Alto's Claud Xiao was the prime researcher behind the discovery of YiSpecter's capabilities. Xiao has been on a roll of late: He was also a driver behind the analysis of XcodeGhost, another adware campaign that used a different-but-just-as-unusual infection vector.
YiSpecter demonstrated what security experts had only posed in theory: iOS was open to attacks that not only circumvented Apple's vetting of apps, but could use undocumented and Apple-only APIs (application programming interfaces) to hide on an iPhone, masquerade as trusted apps, and hijack Safari and other apps to display unauthorized ads.
The malware exploited Apple's enterprise app distribution process, which was designed so that businesses could craft their own iOS apps, then dispense them to workers without having to go through Apple's approval process and stocking them on the public App Store.
Instead, enterprises are allowed to sign their apps with digital certificates that verify their identity -- the specific company, for instance -- which the device checks before allowing installation. Apple issues those certificates.
Criminals have been using the enterprise distribution end-around for more than a year with purloined or falsely obtained certificates, said Olson, notably in 2014's Wirelurker, which targeted both iOS and OS X devices.
What's unique about YiSpecter, said Olson, was that it paired the enterprise certificate tactic with one previously discussed only by academics.
The hackers abused what's called "private APIs" to add functionality to their malware.
Private APIs are those Apple keeps close to its vest. "They're inside iOS, but used only by Apple for its [own] apps, or APIs that are not ready for public use, or are actually called by a public API," explained Olson. In the latter case, the private API does the "heavy lifting," he added. "That prevents people from using the [private API]."
Private APIs are discoverable through a variety of techniques, and often don't stay secret for long -- particularly those that Apple has added to the iOS framework but hasn't yet released for public developer use.
Sign up for CIO Asia eNewsletters.