Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security China IOS Iphone Apple

Advertising Malware Affects Non-Jailbroken iOS Devices 69

An anonymous reader writes: Malware called YiSpecter is infecting iOS devices belonging to Chinese and Taiwanese users, and is the first piece of malware that successfully targets both jailbroken and non-jailbroken devices, Palo Alto Networks researchers warn. What's more, the techniques it uses for hiding are making it difficult to squash the infection. YiSpecter's malicious apps were signed with three iOS enterprise certificates issued by Apple so that they can be installed as enterprise apps on non-jailbroken iOS devices via in-house distribution. Through this kind of distribution, an iOS app can bypass Apple's strict code review procedures and can invoke iOS private APIs to perform sensitive operations.
This discussion has been archived. No new comments can be posted.

Advertising Malware Affects Non-Jailbroken iOS Devices

Comments Filter:
  • Opening Ceremonies (Score:3, Insightful)

    by eedwardsjr ( 1327857 ) on Monday October 05, 2015 @09:23AM (#50661129)
    Let the griping begin. Queue the fanboys from both sides.
    • by Anonymous Coward

      Also, cue the drooling morons who don't know the difference between "queue" and "cue."

      • Also, cue the drooling morons who don't know the difference between "queue" and "cue."

        Well, you can CUE someone to stand in a QUEUE; so, it is POSSIBLE that the person meant that there would be a line of posters waiting to post on the subject...

        • The sentence wouldn't be formed that way.

          • The sentence wouldn't be formed that way.

            C'mon, lighten up! I mean, if a song can have the lyric "Outside in the cold distance, a wildcat did growl;" then I submit that I should be allowed the construction I used, too. Especially on the spur of the moment!

    • How about this: the next time there's an article where advertisers or so-called "content providers" bitch and moan about people blocking ads, we can use this story as more evidence to show that malware authors are the colleagues of advertisers. Advertisers might not like that fact, but it's a fact. Ad blocking is akin to malware blocking.

      There you go, there's the anti-advertising gripe for your "both sides".

      • by EXrider ( 756168 ) on Monday October 05, 2015 @11:37AM (#50662387)
        I thought the same thing, until I RTFA and realized that the attack vector (there isn't one really) wasn't through ads. You have to be tricked into installing some sketchy 3rd party Enterprise app distribution certificate before you can install the malware on your non-jailbroken device. Play stupid games, win stupid prizes.
        • I understand that. But what are the people who are abusing this technology doing? They're showing ads. Like any other technology that comes along, sure enough there's an advertiser trying to use it to show people stuff that they don't want to see. This is the reason why we need ad-blockers, and it's something that advertisers arguing against blocking don't seem to want to admit.

  • Not really a flaw... (Score:5, Informative)

    by rgbscan ( 321794 ) on Monday October 05, 2015 @09:31AM (#50661183) Homepage

    So this doesn't work for apps downloaded from the iOS app store. For the vulnerability to work, you first have to download and install an Enterprise certificate, then you have to download and install an infected app from a specific third party website signed with that Enterprise certificate. This isn't really a vulnerability, this is the specific application path for installing custom enterprise apps at your private business. Don't go around installing unknown junk and you'll be fine.

    • It is a vulnerability; it is one that may not hit everyone. It also seems to require the user interaction to actively install the malware unlike other malware which can be installed by visiting a website, etc.
      • It is a vulnerability; it is one that may not hit everyone.

        Well, yeah. It's a vulnerability that effects all OS, because VEBTSAC.

    • Same as Android malware then!

    • Exactly. Apple has released an official response to the issue already as well:

      This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources. We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps.

      So, basically, to be impacted by this, a user would have avoided the freely available OS updates for the last four months (despite the OS prompting them to update periodically), opted-in to trusting an enterprise certificate that isn't associated with where they work (despite the OS' dire warnings about trusting enterprise certificates in general), and would have then needed to separately download the untrustworthy apps (again, de

    • And the exploit the malware used was fixed in iOS 8.4 or later.
  • by sjbe ( 173966 ) on Monday October 05, 2015 @09:31AM (#50661185)

    YiSpecter's malicious apps were signed with three iOS enterprise certificates issued by Apple so that they can be installed as enterprise apps on non-jailbroken iOS devices via in-house distribution.

    So Apple should revoke the certificate. Why is this a problem? What makes this newsworthy? What am I missing?

    It should surprise nobody that malware makers find security holes. Apple is no exception. But the entire point of certificates is that they can be revoked in the event there is a problem. Revoke the certificate which should then disable the app. If it doesn't work this way then something is wrong and the certificate is pointless.

    • by aslagle ( 441969 ) on Monday October 05, 2015 @09:48AM (#50661309)

      So Apple should revoke the certificate. Why is this a problem? What makes this newsworthy? What am I missing?

      That even though this is still just someone running an untrusted binary, let's put that it affects unjailbroken iphones so people who just read the title will be scared and move to android?

    • I wholeheartedly agree with the certificate revocation solution. I would take it a step further and charge penalties to the enterprises whose compromised certificate was used to sign the app. Make Beijing Yingmob Interaction Technology Co., Ltd. Pay for the mess.

      Also note that iOS 9 requires the user to authorize the installation.
    • Also in iOS 9 you have to approve running an app the first time signed with an Enterprise cert.
    • I didn't see, where did the certificate come from in the first place?

    • by Rosyna ( 80334 )

      They were revoked quite a while ago. The malware hails from 2014.

  • by zarmanto ( 884704 ) on Monday October 05, 2015 @10:57AM (#50661997) Journal

    Every now and then, I read a comment from someone about how Apple must "hate" the jailbreakers, because they keep closing off the flaws which make jailbreaks possible. The reality -- as effectively demonstrated in this instance -- is that the flaws which allow jailbreaks also just happen to open your phone up to malware. Apple is far more concerned with what a malicious entity might do to their customer base through these flaws, then with what the jailbreakers are doing to their own phones. Would, that more people understood this.

    • Every now and then, I read a comment from someone about how Apple must "hate" the jailbreakers, because they keep closing off the flaws which make jailbreaks possible. The reality -- as effectively demonstrated in this instance -- is that the flaws which allow jailbreaks also just happen to open your phone up to malware. Apple is far more concerned with what a malicious entity might do to their customer base through these flaws, then with what the jailbreakers are doing to their own phones. Would, that more people understood this.

      Precisely!

    • Except this particular vulnerability has precisely nothing to do with jailbreaking. To the contrary, it's a flaw with Apple's own way for enterprise customers to install unapproved apps. They hate jailbreaking because it's a stepping stone to enabling piracy (thus slightly reducing app store revenue and causing app publishers to start breathing down their neck), a stepping stone to enabling non-carrier-sanctioned tethering (thus making carriers breathe down their neck), and other things that all either redu
      • Except this particular vulnerability has precisely nothing to do with jailbreaking. To the contrary, it's a flaw with Apple's own way for enterprise customers to install unapproved apps. ...

        While your first sentence is reasonable, (but strictly speaking, does not actually negate anything I said, aside from implying a minimization of the relevancy of my comment) your second sentence is technically incorrect: The enterprise certs are working exactly as they were intended. The real issue is that a malicious entity happened to obtain access to such certs. So the questions are: How did they obtain the certs? And how can Apple prevent future compromises of this nature?

        If we apply Hanlon's Razor, I'

Sendmail may be safely run set-user-id to root. -- Eric Allman, "Sendmail Installation Guide"

Working...