YiSpecter Malware Hits Non-jailbroken iPhones in China, Taiwan

| News

iPhone and iPad users have yet another security threat to deal with, called YiSpecter, that targets jailbroken and non-jailbroken phones alike. Turns out it's been in the wild since November 2014, but don't get too worried because there's a good chance you haven't been infected.

YiSpecter malware targets jailbroken and non-jailbroken iOS devicesYiSpecter malware targets jailbroken and non-jailbroken iOS devices

Palo Alto Networks, the security research company that discovered the threat, had this to say:

YiSpecter is different from previously seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices through unique and harmful malicious behaviors. Specifically, it's the first malware we've seen in the wild that abuses private APIs in the iOS system to implement malicious functionalities.

This isn't the first malware threat to target non-jailbroken devices. WireLurker cropped up about a year ago, and while it took advantage of enterprise provisioning, it relied on your Mac to deliver its payload. Apple responded to that threat quickly by shutting down the apps that could be used as installers.

While YiSpecter sounds pretty serious—it attacks jailbroken and non-jailbroken iOS devices, has been in the wild for nearly a year, it reappears even after deleting, forces full-screen ads to display, takes advantage of private APIs, and uploads your device information to the hacker's servers—it isn't something that shows up on iPhones without intentional user action.

According to Palo Alto Networks, YiSpecter uses enterprise certificates to install, which means unless you intentionally authorize the malware to install, it isn't going to happen. Installing enterprise certified apps forces a dialog to appear asking if you want to trust the developer, and as long as you decline, the apps can't install. You're also finding the apps outside of Apple's App Store, which should be a big red warning flag that something is wrong.

So far, YiSpecter has been limited mostly to China and Taiwan, which is good news for iPhone and iPad owners in other countries. That said, YiSpecter has some interesting traits that could show up in future malware threats that go beyond China and Taiwan. 

The good news is that Apple already addressed the vulnerabilities that YiSpecter could use to hijack victim's iPhones and iPads with the release of iOS 8.4 in June. Those same security fixes are in iOS 9, too, so anyone keeping current on their updates will be safe from YiSpecter.

In a statement to The Loop, an Apple spokesperson said, "This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources. We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware."

In other words, if you're staying up to date on iOS releases and don't install apps outside of the App Store you should be safe. That, it turns out, is good advice for all iPhone, iPad, and iPod touch users.

The Mac Observer Spin The Mac Observer Spin is how we show you what our authors think about a news story at quick glance. Read More →

Never trust pop-ups that ask you to install software outside of the App Store. YiSpecter is a perfect example of what can happen when you do.

Popular TMO Stories



According to Apple the fix was implemented in iOS 8.4


NM I just noticed the paragraph that mentions this.

Bart B

Thankfully people clicking “continue” on the unknown developer warning will soon be a thing of the past - iOS9 removes the continue button!

You’ll have to intentionally install an enterprise provisioning profile before an enterprise app will run, so that should nip this kind of malware in the bud.


Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account