Slashdot Mirror

← Back to Stories (view on slashdot.org)

Advertising Malware Affects Non-Jailbroken iOS Devices

Posted by Soulskill on from the there's-an-app-for-that dept.

An anonymous reader writes: Malware called YiSpecter is infecting iOS devices belonging to Chinese and Taiwanese users, and is the first piece of malware that successfully targets both jailbroken and non-jailbroken devices, Palo Alto Networks researchers warn. What's more, the techniques it uses for hiding are making it difficult to squash the infection. YiSpecter's malicious apps were signed with three iOS enterprise certificates issued by Apple so that they can be installed as enterprise apps on non-jailbroken iOS devices via in-house distribution. Through this kind of distribution, an iOS app can bypass Apple's strict code review procedures and can invoke iOS private APIs to perform sensitive operations.

6 of 69 comments (clear)

  1. Not really a flaw... by rgbscan · · Score: 5, Informative

    So this doesn't work for apps downloaded from the iOS app store. For the vulnerability to work, you first have to download and install an Enterprise certificate, then you have to download and install an infected app from a specific third party website signed with that Enterprise certificate. This isn't really a vulnerability, this is the specific application path for installing custom enterprise apps at your private business. Don't go around installing unknown junk and you'll be fine.

    1. Re: Not really a flaw... by tlhIngan · · Score: 5, Informative

      Apple's method of securing appspace for the enterprise failed.

      Actually, this is by design

      One of the reasons for having the Enterprise certificate is to distribute apps without Apple approval. Because Apple can't really test, and enterprises really don't want to go through the hassle of having every line of business app approved.

      So Apple always has offered an "out" - a way to get non-Apple-approved apps onto devices. Apple calls it their Enterprise program, where you guy a $500 (yearly) certificate from Apple, and that will let you self-sign apps and install them on devices that install the appropriate provisioning file.

      So first, the provisioning file is installed (which also lets enterprises set key rules like lock screen password or PIN security and other policies). Then you can install apps signed by the same certificate.

      It's not a big surprise that malware authors would use it, but for most normal users, such certificates often come by if you want to use pirated apps (there are plenty of sites out there selling you "re-signing" services for like $25 a year - they will sign cracked apps for you to install on your device).

      In short, to install this malware - 1) You need to install the mobile provisioning certificate - a web page cannot do it, as the user must tap "OK" to actually install it. A user can list and view such provisioning certificates at will. They self-expire after a year.

      2) You need to download the affected app, that's signed with the same certificate as the provisioning file. (So one company's apps cannot be installed via some other company's certificate).

      3) The certificate hasn't been revoked.

      The enterprise system is working exactly as designed

  2. Revoke the certificate by sjbe · · Score: 4, Insightful

    YiSpecter's malicious apps were signed with three iOS enterprise certificates issued by Apple so that they can be installed as enterprise apps on non-jailbroken iOS devices via in-house distribution.

    So Apple should revoke the certificate. Why is this a problem? What makes this newsworthy? What am I missing?

    It should surprise nobody that malware makers find security holes. Apple is no exception. But the entire point of certificates is that they can be revoked in the event there is a problem. Revoke the certificate which should then disable the app. If it doesn't work this way then something is wrong and the certificate is pointless.

    1. Re:Revoke the certificate by aslagle · · Score: 4, Informative

      So Apple should revoke the certificate. Why is this a problem? What makes this newsworthy? What am I missing?

      That even though this is still just someone running an untrusted binary, let's put that it affects unjailbroken iphones so people who just read the title will be scared and move to android?

  3. Jailbreak == security vulnerability by zarmanto · · Score: 4, Insightful

    Every now and then, I read a comment from someone about how Apple must "hate" the jailbreakers, because they keep closing off the flaws which make jailbreaks possible. The reality -- as effectively demonstrated in this instance -- is that the flaws which allow jailbreaks also just happen to open your phone up to malware. Apple is far more concerned with what a malicious entity might do to their customer base through these flaws, then with what the jailbreakers are doing to their own phones. Would, that more people understood this.

  4. Re:Opening Ceremonies by EXrider · · Score: 3, Interesting

    I thought the same thing, until I RTFA and realized that the attack vector (there isn't one really) wasn't through ads. You have to be tricked into installing some sketchy 3rd party Enterprise app distribution certificate before you can install the malware on your non-jailbroken device. Play stupid games, win stupid prizes.

    --
    grep -iw skynet /etc/services