Newly discovered Apple iOS malware is attacking jailbroken and non-jailbroken iPhones and iPads, although it would appear to affect mostly users of older devices in Asia.

Discovered by security firm Paloalto Networks, Inc. and dubbed “YiSpecter,” the malware targets private APIs in the iOS system to implement malicious functionalities.

The malware is said to spread via unusual means, including the hijacking of traffic from nationwide ISPs, an SNS worm on Windows, and an offline app installation and community promotion.

YiSpecter is believed to have been in the wild for over 10 months, but currently only one anti-virus tool, VirusTotal, is detecting the malware on infected phones.

In what can perhaps be described as the most aggressive iOS malware to-date, YiSpecter can cause infected iPhones to download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to an external server.

The internal DNA of the YiSpecter malware is said to be intricate in that it involves four different components that have all been digitally signed by various enterprise certificates; those individual components work in conjunction with one another to set off a chain of downloads that originates from a remote server.

Response

Trey Ford at IT security and analytics firm Rapid7, Inc. explained the implications of the malware to SiliconANGLE via email, writing that “this does not signal the collapse of Apple’s iOS security model….Apple’s iOS walled garden is still a holy grail for attackers, so every incident involving non-jailbroken iOS devices will likely be considered newsworthy.”

“Attackers know that focusing on edge cases, specifically exceptions like the ‘in-house distribution’ workflow using enterprise certificates, provide the most likely path to deployment. On the upside, Apple is aware and actively making that workflow harder for people to abuse,” Ford went on.

Apple has released an official statement as well, noting that the security issues allowing the malware to penetrate iPhone’s has been addressed:

This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources. We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps.”

Reminding everyone of the old adage “always practice safe internet,” Ford sums it up as follows: “On this one, Consumers and Enterprises need a simple reminder: Stay inside the app store, do not jailbreak your iPhone. Pop-up warning questions, “Are you sure you want to…” should be screenshot and discussed with your technology partners, not blindly accepted.”

Currently YiSpecter is thought to only be primarily targeting users in China and Taiwan.

Image credit: carbonnyc/Fickr/CC by 2.0