Advertising Malware Affects Non-Jailbroken iOS Devices

← Back to Stories (view on slashdot.org)

Advertising Malware Affects Non-Jailbroken iOS Devices

Posted by Soulskill on Monday October 5, 2015 @02:21AM from the there's-an-app-for-that dept.

An anonymous reader writes: Malware called YiSpecter is infecting iOS devices belonging to Chinese and Taiwanese users, and is the first piece of malware that successfully targets both jailbroken and non-jailbroken devices, Palo Alto Networks researchers warn. What's more, the techniques it uses for hiding are making it difficult to squash the infection. YiSpecter's malicious apps were signed with three iOS enterprise certificates issued by Apple so that they can be installed as enterprise apps on non-jailbroken iOS devices via in-house distribution. Through this kind of distribution, an iOS app can bypass Apple's strict code review procedures and can invoke iOS private APIs to perform sensitive operations.

37 of 69 comments (clear)

Min score:

Reason:

Sort:

Opening Ceremonies by eedwardsjr · 2015-10-05 02:23 · Score: 2, Insightful

Let the griping begin. Queue the fanboys from both sides.
1. Re:Opening Ceremonies by Anonymous Coward · 2015-10-05 03:37 · Score: 1
  
  Also, cue the drooling morons who don't know the difference between "queue" and "cue."
2. Re:Opening Ceremonies by EXrider · 2015-10-05 04:37 · Score: 3, Interesting
  
  I thought the same thing, until I RTFA and realized that the attack vector (there isn't one really) wasn't through ads. You have to be tricked into installing some sketchy 3rd party Enterprise app distribution certificate before you can install the malware on your non-jailbroken device. Play stupid games, win stupid prizes.
  
  --
  grep -iw skynet /etc/services
3. Re:Opening Ceremonies by macs4all · 2015-10-05 05:18 · Score: 1
  
  Also, cue the drooling morons who don't know the difference between "queue" and "cue."
  Well, you can CUE someone to stand in a QUEUE; so, it is POSSIBLE that the person meant that there would be a line of posters waiting to post on the subject...
4. Re:Opening Ceremonies by amicusNYCL · 2015-10-05 06:12 · Score: 1
  
  I understand that. But what are the people who are abusing this technology doing? They're showing ads. Like any other technology that comes along, sure enough there's an advertiser trying to use it to show people stuff that they don't want to see. This is the reason why we need ad-blockers, and it's something that advertisers arguing against blocking don't seem to want to admit.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
5. Re:Opening Ceremonies by BasilBrush · 2015-10-05 12:29 · Score: 1
  
  The sentence wouldn't be formed that way.
6. Re:Opening Ceremonies by macs4all · 2015-10-05 13:32 · Score: 1
  
  The sentence wouldn't be formed that way.
  C'mon, lighten up! I mean, if a song can have the lyric "Outside in the cold distance, a wildcat did growl;" then I submit that I should be allowed the construction I used, too. Especially on the spur of the moment!
Not really a flaw... by rgbscan · 2015-10-05 02:31 · Score: 5, Informative

So this doesn't work for apps downloaded from the iOS app store. For the vulnerability to work, you first have to download and install an Enterprise certificate, then you have to download and install an infected app from a specific third party website signed with that Enterprise certificate. This isn't really a vulnerability, this is the specific application path for installing custom enterprise apps at your private business. Don't go around installing unknown junk and you'll be fine.
1. Re: Not really a flaw... by Anonymous Coward · 2015-10-05 02:40 · Score: 1
  
  Where on earth did you get that idea from what GP said?
2. Re: Not really a flaw... by Anonymous Coward · 2015-10-05 03:06 · Score: 1
  
  He's a troll. Everybody who argues for microsoft products on slashdot is a troll. Even if windows is miles better than Loonix or OS X "El Crapitan".
  As somebody who sees the truth, you either have to live with the extremely biased modder situation on this stupid site, or leave it forever.
3. Re: Not really a flaw... by Anonymous Coward · 2015-10-05 03:38 · Score: 1, Insightful
  
  The app was "signed" and it didn't matter. Malware leaked in. Apple's method of securing appspace for the enterprise failed.
4. Re: Not really a flaw... by Anonymous Coward · 2015-10-05 03:41 · Score: 1
  
  As someone who develops iOS apps for an enterprise I agree with this. Distributing/maintaining enterprise apps for iOS is kind of painful. The things that make it painful are the things that make it safer for the end user so can't really come to this guys conclusion from the article.
5. Re:Not really a flaw... by UnknowingFool · 2015-10-05 03:45 · Score: 1
  
  It is a vulnerability; it is one that may not hit everyone. It also seems to require the user interaction to actively install the malware unlike other malware which can be installed by visiting a website, etc.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
6. Re: Not really a flaw... by tlhIngan · 2015-10-05 04:56 · Score: 5, Informative
  
  Apple's method of securing appspace for the enterprise failed.
  Actually, this is by design
  One of the reasons for having the Enterprise certificate is to distribute apps without Apple approval. Because Apple can't really test, and enterprises really don't want to go through the hassle of having every line of business app approved.
  So Apple always has offered an "out" - a way to get non-Apple-approved apps onto devices. Apple calls it their Enterprise program, where you guy a $500 (yearly) certificate from Apple, and that will let you self-sign apps and install them on devices that install the appropriate provisioning file.
  So first, the provisioning file is installed (which also lets enterprises set key rules like lock screen password or PIN security and other policies). Then you can install apps signed by the same certificate.
  It's not a big surprise that malware authors would use it, but for most normal users, such certificates often come by if you want to use pirated apps (there are plenty of sites out there selling you "re-signing" services for like $25 a year - they will sign cracked apps for you to install on your device).
  In short, to install this malware - 1) You need to install the mobile provisioning certificate - a web page cannot do it, as the user must tap "OK" to actually install it. A user can list and view such provisioning certificates at will. They self-expire after a year.
  2) You need to download the affected app, that's signed with the same certificate as the provisioning file. (So one company's apps cannot be installed via some other company's certificate).
  3) The certificate hasn't been revoked.
  The enterprise system is working exactly as designed
7. Re: Not really a flaw... by Threni · 2015-10-05 05:02 · Score: 1
  
  Same as Android malware then!
8. Re: Not really a flaw... by macs4all · 2015-10-05 05:21 · Score: 2
  
  How is this even news?
  Because haters gotta hate, and Ol' Slashdot needs the Clicks.
  
  Next question?
9. Re:Not really a flaw... by Plumpaquatsch · 2015-10-05 07:10 · Score: 1
  
  It is a vulnerability; it is one that may not hit everyone.
  Well, yeah. It's a vulnerability that effects all OS, because VEBTSAC.
  
  --
  Of course news about a fake are Fake News.
10. Re: Not really a flaw... by Karlt1 · 2015-10-05 07:20 · Score: 2
  
  In short, to install this malware - 1) You need to install the mobile provisioning certificate - a web page cannot do it, as the user must tap "OK" to actually install it. A user can list and view such provisioning certificates at will. They self-expire after a year.
  It's even harder to accidentally install enterprise certificates in iOS 9.
  http://researchcenter.paloalto...
  
  "(As noted above, the new iOS 9 requires users to manually set related provisioning profile as trusted in Settings before they can install Enterprise provisioned apps. This new feature is also helpful for preventing some security incidents caused by abusing enterprise certificates.)"
  Any device that is compatible with iOS 8 is also compatible with iOS 9.
11. Re:Not really a flaw... by Anubis+IV · 2015-10-05 09:20 · Score: 1
  
  Exactly. Apple has released an official response to the issue already as well:
  
  This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources. We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps.
  So, basically, to be impacted by this, a user would have avoided the freely available OS updates for the last four months (despite the OS prompting them to update periodically), opted-in to trusting an enterprise certificate that isn't associated with where they work (despite the OS' dire warnings about trusting enterprise certificates in general), and would have then needed to separately download the untrustworthy apps (again, despite the OS' warnings). And even if they managed to do all of that, Apple is now saving their collective butts by revoking the certs for the apps.
  It's hard to even make the case that older devices may be significantly affected by this, since the latest iOS device that can't run iOS 9 (and by extension, iOS 8.4) was released way back in late 2010.
Revoke the certificate by sjbe · 2015-10-05 02:31 · Score: 4, Insightful

YiSpecter's malicious apps were signed with three iOS enterprise certificates issued by Apple so that they can be installed as enterprise apps on non-jailbroken iOS devices via in-house distribution.
So Apple should revoke the certificate. Why is this a problem? What makes this newsworthy? What am I missing?
It should surprise nobody that malware makers find security holes. Apple is no exception. But the entire point of certificates is that they can be revoked in the event there is a problem. Revoke the certificate which should then disable the app. If it doesn't work this way then something is wrong and the certificate is pointless.
1. Re:Revoke the certificate by aslagle · 2015-10-05 02:48 · Score: 4, Informative
  
  So Apple should revoke the certificate. Why is this a problem? What makes this newsworthy? What am I missing?
  That even though this is still just someone running an untrusted binary, let's put that it affects unjailbroken iphones so people who just read the title will be scared and move to android?
2. Re:Revoke the certificate by BigBuckHunter · 2015-10-05 02:52 · Score: 1
  
  I wholeheartedly agree with the certificate revocation solution. I would take it a step further and charge penalties to the enterprises whose compromised certificate was used to sign the app. Make Beijing Yingmob Interaction Technology Co., Ltd. Pay for the mess.
  
  Also note that iOS 9 requires the user to authorize the installation.
3. Re:Revoke the certificate by Coditor · 2015-10-05 03:54 · Score: 1
  
  Also in iOS 9 you have to approve running an app the first time signed with an Enterprise cert.
4. Re:Revoke the certificate by cant_get_a_good_nick · 2015-10-05 04:11 · Score: 1
  
  I didn't see, where did the certificate come from in the first place?
5. Re:Revoke the certificate by radarskiy · 2015-10-05 05:13 · Score: 1
  
  "You know how many threads there are defending / promoting the notion that i devices are impervious to malware / viruses?"
  None. It is a strawman invoked here on /. only by Apple detractors.
6. Re:Revoke the certificate by macs4all · 2015-10-05 05:28 · Score: 1
  
  You know how many threads there are defending / promoting the notion that i devices are impervious to malware / viruses?
  ...of which, 99% of them are sarcastic allusions to that "Assertion" posted by Apple Haters, NOT by Apple Users.
  
  Prove me wrong.
7. Re:Revoke the certificate by BigBuckHunter · 2015-10-05 08:25 · Score: 1
  
  Why did you even mention "user to authorize the installation" even mentioned? That has not been an acceptable excuse for those platforms, why change now?
  The user needs to authorize the installation (of an enterprise certificate into the iOS devices certificate trust store). I mention it because the article mentions it, and it is pretty much counter to what the Slashdot summary implies.
  
  It almost looks like everyone's so hot for a real exploit that these 'rogue certified applications' and their developers are getting overblown.
  
  Ultimately, the solution is al the same. Apple adds the rogue cert(s) to their CRL. Done.
8. Re:Revoke the certificate by Rosyna · 2015-10-05 12:38 · Score: 1
  
  They were revoked quite a while ago. The malware hails from 2014.
Re:The walls of the garden are not high enough! by Dunbal · 2015-10-05 02:45 · Score: 1

You're praying to me wrong --- Steve J

--
Seven puppies were harmed during the making of this post.
Jailbreak == security vulnerability by zarmanto · 2015-10-05 03:57 · Score: 4, Insightful

Every now and then, I read a comment from someone about how Apple must "hate" the jailbreakers, because they keep closing off the flaws which make jailbreaks possible. The reality -- as effectively demonstrated in this instance -- is that the flaws which allow jailbreaks also just happen to open your phone up to malware. Apple is far more concerned with what a malicious entity might do to their customer base through these flaws, then with what the jailbreakers are doing to their own phones. Would, that more people understood this.
1. Re:Jailbreak == security vulnerability by macs4all · 2015-10-05 05:32 · Score: 1
  
  Every now and then, I read a comment from someone about how Apple must "hate" the jailbreakers, because they keep closing off the flaws which make jailbreaks possible. The reality -- as effectively demonstrated in this instance -- is that the flaws which allow jailbreaks also just happen to open your phone up to malware. Apple is far more concerned with what a malicious entity might do to their customer base through these flaws, then with what the jailbreakers are doing to their own phones. Would, that more people understood this.
  Precisely!
2. Re:Jailbreak == security vulnerability by mattventura · 2015-10-05 07:36 · Score: 1
  
  Except this particular vulnerability has precisely nothing to do with jailbreaking. To the contrary, it's a flaw with Apple's own way for enterprise customers to install unapproved apps. They hate jailbreaking because it's a stepping stone to enabling piracy (thus slightly reducing app store revenue and causing app publishers to start breathing down their neck), a stepping stone to enabling non-carrier-sanctioned tethering (thus making carriers breathe down their neck), and other things that all either reduce Apple's profit or reduce someone else's profit, causing them to complain to Apple. It's basically the same reasons a game console manufacturer doesn't want people cracking their console.
3. Re:Jailbreak == security vulnerability by zarmanto · 2015-10-06 02:59 · Score: 1
  
  Except this particular vulnerability has precisely nothing to do with jailbreaking. To the contrary, it's a flaw with Apple's own way for enterprise customers to install unapproved apps. ...
  While your first sentence is reasonable, (but strictly speaking, does not actually negate anything I said, aside from implying a minimization of the relevancy of my comment) your second sentence is technically incorrect: The enterprise certs are working exactly as they were intended. The real issue is that a malicious entity happened to obtain access to such certs. So the questions are: How did they obtain the certs? And how can Apple prevent future compromises of this nature?
  If we apply Hanlon's Razor, I'd think it's a pretty good bet that the malicious entity simply signed up for the developer program, themselves. Thus, the easiest way that Apple could stop that from happening in the future is to increase developer fees, which would unfortunately also have the negative side effect of locking out smaller iOS developers entirely. Finding the threshold at which malicious entity interest is minimized, while also minimizing the discouragement of legitimate small developers, is obviously a calculated balancing act... but will never be entirely foolproof. The fact that this kind of malicious act has only been reported this once suggests that Apple has a pretty clear idea of what they're doing.
  In any case, it seems pretty clear that Apple has already revoked the certs and suspended the developer account in question, so this particular hack is effectively in the clean-up phase now.
  (The rest of your response just sounds to me like the usual soapbox "Apple bad! Big business bad! They're all out to get the little guy!" commentary, so I seriously doubt that anything I could say is going to dissuade you from your point of view. Suffice to say, we'll just have to agree to disagree.)
Re:A certificate that isn't used is pointless by BigBuckHunter · 2015-10-05 04:43 · Score: 2

Doesn't matter. If there is a security flaw where a certificate has been compromised then the only correct response it revoke the certificate. Yes this could be highly inconvenient but the danger of not revoking the certificate and disabling the vulnerability is worse. A certificate that isn't revoked when necessary is worse than useless. If the danger does not justify a certificate then what is the point of issuing one in the first place?
Indeed. In this case, it appears that the owner of the certificate (Yingmob Interaction Technology Co) is the author of the malware. Apple will likely revoke the certificate, revoke their developer credentials, blacklist/flag the developers that are on the corporate account, and seek civil penalties.

If the cert belonged to a big enterprise company like HP/IBM, you're still absolutely correct. Apple would revoke the certificate, and HP/IBM would thank them and apologize for their ineptitude at keeping their PrivKey safe.
And fixed in recent iOS versions ... by perpenso · 2015-10-05 10:05 · Score: 1

And the exploit the malware used was fixed in iOS 8.4 or later.
Enterprise users who get patches are just fine by perpenso · 2015-10-05 10:07 · Score: 2

In other words, Apple products are not well designed for use in the enterprise market.
Actually if you have a somewhat recent update, iOS 8.4 or 9.0 then the exploit is fixed. So enterprise users who get patches are just fine.
1. Re:Enterprise users who get patches are just fine by Rosyna · 2015-10-05 12:36 · Score: 2
  
  To elaborate, iOS 8.3 fixed the silent install issue, iOS 8.4 fixed the other issues, iOS 9 made it significantly more difficult to trick people into approving enterprise certificates.