X

New iOS malware tricks its way onto iPhones in China and Taiwan

The malicious software, called YiSpecter, hijacks apps and the Safari browser to show full-page ads. It fools users into installing it by claiming to circumvent China's Web censorship.

Rahil Bhagat
Based in Singapore, Rahil Bhagat is a freelance tech journalist with a passion for consumer tech and startups. He is also an avid gamer and does not believe that celery exists. He tweets into the ether via @rahilmb
Rahil Bhagat
2 min read

iPhone users who attempt to download a fake app in China and Taiwan have been infected with a new form of malware. Sarah Tew/CNET

A new species of malware that shows fullscreen ads is flourishing on Apple devices in China and Taiwan. The development follows reports last month that apps loaded with malware had to be purged from the company's App Store.

The malicious software, dubbed YiSpecter, is reportedly able to "install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps' execution to display advertisements, change Safari's default search engine, bookmarks and opened pages, and upload device information," according to US-based cybersecurity firm Palo Alto Networks.

Victims of YiSpecter are reportedly tricked into being infected when they are persuaded to download what appears to be a "private version" or "version 5.0" of a popular but now defunct media player, QVOD.

In China, QVOD was popular for its ability to allow users to share pornographic content. Pornography is illegal in China but there exists a vast underground network of hidden sites and third-party apps to circumvent such laws. The offices of the app's developer, Kuaibo, were raided by police in 2014.

YiSpecter is able to make use of private application programming interfaces (APIs) to install itself on infected devices and then trick iOS' SpringBoard, the software that manages things like app icons on the home screen, to prevent users from deleting it. The malware takes this deception a step further by using the same name and logos of system apps. It does not even require the iPhone or iPad to be jailbroken, the term used to describe the process of unlocking a device so you can install unauthorized apps.

"We advise customers to stay current and only download content from the App Store and trusted sources," an Apple spokesperson told CNET. "This particular vulnerability was indeed fixed in iOS 9.0."

Ryan Olson, Palo Alto Networks' director of threat intelligence, told The Wall Street Journal that the culprit seems to be a China-based mobile advertisement service and that Apple had been notified of this new threat.

The news comes two weeks after the XcodeGhost attack caused Apple to pull a host of trusted, high-profile apps from its Chinese app store.