Follow Nikias Bassen (@pimskeks)
An enterprise security vendor, Palo Alto Networks, followed up on a threat discovered by Cheetah Mobile and Qihoo360, and identified a malware spreading through social media and other channels. This malware, named YiSpecter, is abusing enterprise code signing to trick the user into installing a malicious app. Following Zimperium’s investigation, we have not observed any ‘never-seen-before’ tricks in this malware and the main infection point is through social engineering. In the original blog by PAN it appears that ISPs are helping to spread out this malware – we could not verify this claim at this time.
The YiSpecter is abusing a signed enterprise certificate of “Beijing Yingmob Interaction Technology Co., ltd.” to deploy the malware, which is not part of the official iOS store.
At Zimperium zLabs, we created a command line tool for OSX and Windows to remove any known instances of YiSpecter. You can download the tool for free here:
To use the tool plug your infected iOS device and simply execute it from the terminal:
zYiRemoval will enumerate all connected devices and perform the administrative actions to remove malicious apps and profiles planted by YiSpecter.
It is advised to take the following steps to ensure that you are not impacted by YiSpecter:
Upgrade to iOS 9.0.2 as soon as possible.
If you were impacted by zYiSpecter, use zYiRemoval to uninstall the following profiles / apps, or perform this steps manually.
Uninstall any of the following profiles:
- “Changzhou Wangyi Information Technology Co., Ltd.”
- “Baiwochuangxiang Technology Co., Ltd.”
- Beijing Yingmob Interaction Technology Co., ltd.
If you any of the apps below installed on your device, delete them:
- HYQvod (bundle id: weiying.Wvod)
- DaPian (bundle id: weiying.DaPian)
- NoIcon (bundle id: com.weiying.hiddenIconLaunch)
NoIcon silently installs two additional malicious apps “ADPage” and “NoIconUpdate”.
- ADPage (bundle id: com.weiying.ad)
- NoIconUpdate (bundle id: com.weiying.noiconupdate)
Do not install profiles from unknown developers – be extra careful when typing your pin-code: iOS asks you to type your pincode before installing new profiles.
According to the original analysis, YiSpecter uses these subdomains:
- iosnoico [dot] bb800 [dot] com: used to upload information, download configs and commands, download – currently responds to: 220.127.116.11
- qvod [dot] bb800 [dot] com: used to download main app – 18.104.22.168
- qvios [dot] od [dot] bb800 [dot] com: used to download main app – 22.214.171.124
- dp [dot] bb800 [dot] com: used to download promoted iOS apps – 126.96.36.199
- iosads [dot] cdn [dot] bb800 [dot] com: used to download promoted iOS apps and malicious components – 188.8.131.52
We are currently in the process of notifying all of our customers if any instance of YiSpecter is found and we are taking action to ensure that our enterprise customers are protected.
Samples of YiSpecter from the original analysis:
Samples in VirusTotal