Slashdot Mirror

← Back to Stories (view on slashdot.org)

Advertising Malware Affects Non-Jailbroken iOS Devices

Posted by Soulskill on from the there's-an-app-for-that dept.

An anonymous reader writes: Malware called YiSpecter is infecting iOS devices belonging to Chinese and Taiwanese users, and is the first piece of malware that successfully targets both jailbroken and non-jailbroken devices, Palo Alto Networks researchers warn. What's more, the techniques it uses for hiding are making it difficult to squash the infection. YiSpecter's malicious apps were signed with three iOS enterprise certificates issued by Apple so that they can be installed as enterprise apps on non-jailbroken iOS devices via in-house distribution. Through this kind of distribution, an iOS app can bypass Apple's strict code review procedures and can invoke iOS private APIs to perform sensitive operations.

3 of 69 comments (clear)

  1. Not really a flaw... by rgbscan · · Score: 5, Informative

    So this doesn't work for apps downloaded from the iOS app store. For the vulnerability to work, you first have to download and install an Enterprise certificate, then you have to download and install an infected app from a specific third party website signed with that Enterprise certificate. This isn't really a vulnerability, this is the specific application path for installing custom enterprise apps at your private business. Don't go around installing unknown junk and you'll be fine.

    1. Re: Not really a flaw... by tlhIngan · · Score: 5, Informative

      Apple's method of securing appspace for the enterprise failed.

      Actually, this is by design

      One of the reasons for having the Enterprise certificate is to distribute apps without Apple approval. Because Apple can't really test, and enterprises really don't want to go through the hassle of having every line of business app approved.

      So Apple always has offered an "out" - a way to get non-Apple-approved apps onto devices. Apple calls it their Enterprise program, where you guy a $500 (yearly) certificate from Apple, and that will let you self-sign apps and install them on devices that install the appropriate provisioning file.

      So first, the provisioning file is installed (which also lets enterprises set key rules like lock screen password or PIN security and other policies). Then you can install apps signed by the same certificate.

      It's not a big surprise that malware authors would use it, but for most normal users, such certificates often come by if you want to use pirated apps (there are plenty of sites out there selling you "re-signing" services for like $25 a year - they will sign cracked apps for you to install on your device).

      In short, to install this malware - 1) You need to install the mobile provisioning certificate - a web page cannot do it, as the user must tap "OK" to actually install it. A user can list and view such provisioning certificates at will. They self-expire after a year.

      2) You need to download the affected app, that's signed with the same certificate as the provisioning file. (So one company's apps cannot be installed via some other company's certificate).

      3) The certificate hasn't been revoked.

      The enterprise system is working exactly as designed

  2. Re:Revoke the certificate by aslagle · · Score: 4, Informative

    So Apple should revoke the certificate. Why is this a problem? What makes this newsworthy? What am I missing?

    That even though this is still just someone running an untrusted binary, let's put that it affects unjailbroken iphones so people who just read the title will be scared and move to android?