Slashdot Mirror

← Back to Stories (view on slashdot.org)

Advertising Malware Affects Non-Jailbroken iOS Devices

Posted by Soulskill on from the there's-an-app-for-that dept.

An anonymous reader writes: Malware called YiSpecter is infecting iOS devices belonging to Chinese and Taiwanese users, and is the first piece of malware that successfully targets both jailbroken and non-jailbroken devices, Palo Alto Networks researchers warn. What's more, the techniques it uses for hiding are making it difficult to squash the infection. YiSpecter's malicious apps were signed with three iOS enterprise certificates issued by Apple so that they can be installed as enterprise apps on non-jailbroken iOS devices via in-house distribution. Through this kind of distribution, an iOS app can bypass Apple's strict code review procedures and can invoke iOS private APIs to perform sensitive operations.

12 of 69 comments (clear)

  1. Opening Ceremonies by eedwardsjr · · Score: 2, Insightful

    Let the griping begin. Queue the fanboys from both sides.

    1. Re:Opening Ceremonies by EXrider · · Score: 3, Interesting

      I thought the same thing, until I RTFA and realized that the attack vector (there isn't one really) wasn't through ads. You have to be tricked into installing some sketchy 3rd party Enterprise app distribution certificate before you can install the malware on your non-jailbroken device. Play stupid games, win stupid prizes.

      --
      grep -iw skynet /etc/services
  2. Not really a flaw... by rgbscan · · Score: 5, Informative

    So this doesn't work for apps downloaded from the iOS app store. For the vulnerability to work, you first have to download and install an Enterprise certificate, then you have to download and install an infected app from a specific third party website signed with that Enterprise certificate. This isn't really a vulnerability, this is the specific application path for installing custom enterprise apps at your private business. Don't go around installing unknown junk and you'll be fine.

    1. Re: Not really a flaw... by tlhIngan · · Score: 5, Informative

      Apple's method of securing appspace for the enterprise failed.

      Actually, this is by design

      One of the reasons for having the Enterprise certificate is to distribute apps without Apple approval. Because Apple can't really test, and enterprises really don't want to go through the hassle of having every line of business app approved.

      So Apple always has offered an "out" - a way to get non-Apple-approved apps onto devices. Apple calls it their Enterprise program, where you guy a $500 (yearly) certificate from Apple, and that will let you self-sign apps and install them on devices that install the appropriate provisioning file.

      So first, the provisioning file is installed (which also lets enterprises set key rules like lock screen password or PIN security and other policies). Then you can install apps signed by the same certificate.

      It's not a big surprise that malware authors would use it, but for most normal users, such certificates often come by if you want to use pirated apps (there are plenty of sites out there selling you "re-signing" services for like $25 a year - they will sign cracked apps for you to install on your device).

      In short, to install this malware - 1) You need to install the mobile provisioning certificate - a web page cannot do it, as the user must tap "OK" to actually install it. A user can list and view such provisioning certificates at will. They self-expire after a year.

      2) You need to download the affected app, that's signed with the same certificate as the provisioning file. (So one company's apps cannot be installed via some other company's certificate).

      3) The certificate hasn't been revoked.

      The enterprise system is working exactly as designed

    2. Re: Not really a flaw... by macs4all · · Score: 2

      How is this even news?

      Because haters gotta hate, and Ol' Slashdot needs the Clicks.

      Next question?

    3. Re: Not really a flaw... by Karlt1 · · Score: 2

      In short, to install this malware - 1) You need to install the mobile provisioning certificate - a web page cannot do it, as the user must tap "OK" to actually install it. A user can list and view such provisioning certificates at will. They self-expire after a year.

      It's even harder to accidentally install enterprise certificates in iOS 9.

      http://researchcenter.paloalto...

      "(As noted above, the new iOS 9 requires users to manually set related provisioning profile as trusted in Settings before they can install Enterprise provisioned apps. This new feature is also helpful for preventing some security incidents caused by abusing enterprise certificates.)"

      Any device that is compatible with iOS 8 is also compatible with iOS 9.

  3. Revoke the certificate by sjbe · · Score: 4, Insightful

    YiSpecter's malicious apps were signed with three iOS enterprise certificates issued by Apple so that they can be installed as enterprise apps on non-jailbroken iOS devices via in-house distribution.

    So Apple should revoke the certificate. Why is this a problem? What makes this newsworthy? What am I missing?

    It should surprise nobody that malware makers find security holes. Apple is no exception. But the entire point of certificates is that they can be revoked in the event there is a problem. Revoke the certificate which should then disable the app. If it doesn't work this way then something is wrong and the certificate is pointless.

    1. Re:Revoke the certificate by aslagle · · Score: 4, Informative

      So Apple should revoke the certificate. Why is this a problem? What makes this newsworthy? What am I missing?

      That even though this is still just someone running an untrusted binary, let's put that it affects unjailbroken iphones so people who just read the title will be scared and move to android?

  4. Jailbreak == security vulnerability by zarmanto · · Score: 4, Insightful

    Every now and then, I read a comment from someone about how Apple must "hate" the jailbreakers, because they keep closing off the flaws which make jailbreaks possible. The reality -- as effectively demonstrated in this instance -- is that the flaws which allow jailbreaks also just happen to open your phone up to malware. Apple is far more concerned with what a malicious entity might do to their customer base through these flaws, then with what the jailbreakers are doing to their own phones. Would, that more people understood this.

  5. Re:A certificate that isn't used is pointless by BigBuckHunter · · Score: 2

    Doesn't matter. If there is a security flaw where a certificate has been compromised then the only correct response it revoke the certificate. Yes this could be highly inconvenient but the danger of not revoking the certificate and disabling the vulnerability is worse. A certificate that isn't revoked when necessary is worse than useless. If the danger does not justify a certificate then what is the point of issuing one in the first place?

    Indeed. In this case, it appears that the owner of the certificate (Yingmob Interaction Technology Co) is the author of the malware. Apple will likely revoke the certificate, revoke their developer credentials, blacklist/flag the developers that are on the corporate account, and seek civil penalties.

    If the cert belonged to a big enterprise company like HP/IBM, you're still absolutely correct. Apple would revoke the certificate, and HP/IBM would thank them and apologize for their ineptitude at keeping their PrivKey safe.

  6. Enterprise users who get patches are just fine by perpenso · · Score: 2

    In other words, Apple products are not well designed for use in the enterprise market.

    Actually if you have a somewhat recent update, iOS 8.4 or 9.0 then the exploit is fixed. So enterprise users who get patches are just fine.

    1. Re:Enterprise users who get patches are just fine by Rosyna · · Score: 2

      To elaborate, iOS 8.3 fixed the silent install issue, iOS 8.4 fixed the other issues, iOS 9 made it significantly more difficult to trick people into approving enterprise certificates.