Advertising Malware Affects Non-Jailbroken iOS Devices 69
An anonymous reader writes: Malware called YiSpecter is infecting iOS devices belonging to Chinese and Taiwanese users, and is the first piece of malware that successfully targets both jailbroken and non-jailbroken devices, Palo Alto Networks researchers warn. What's more, the techniques it uses for hiding are making it difficult to squash the infection. YiSpecter's malicious apps were signed with three iOS enterprise certificates issued by Apple so that they can be installed as enterprise apps on non-jailbroken iOS devices via in-house distribution. Through this kind of distribution, an iOS app can bypass Apple's strict code review procedures and can invoke iOS private APIs to perform sensitive operations.
Opening Ceremonies (Score:3, Insightful)
Re: (Score:1)
Also, cue the drooling morons who don't know the difference between "queue" and "cue."
Re: (Score:2)
Also, cue the drooling morons who don't know the difference between "queue" and "cue."
Well, you can CUE someone to stand in a QUEUE; so, it is POSSIBLE that the person meant that there would be a line of posters waiting to post on the subject...
Re: (Score:2)
The sentence wouldn't be formed that way.
Re: (Score:2)
The sentence wouldn't be formed that way.
C'mon, lighten up! I mean, if a song can have the lyric "Outside in the cold distance, a wildcat did growl;" then I submit that I should be allowed the construction I used, too. Especially on the spur of the moment!
Re: (Score:1)
How about this: the next time there's an article where advertisers or so-called "content providers" bitch and moan about people blocking ads, we can use this story as more evidence to show that malware authors are the colleagues of advertisers. Advertisers might not like that fact, but it's a fact. Ad blocking is akin to malware blocking.
There you go, there's the anti-advertising gripe for your "both sides".
Re:Opening Ceremonies (Score:4, Interesting)
Re: (Score:2)
I understand that. But what are the people who are abusing this technology doing? They're showing ads. Like any other technology that comes along, sure enough there's an advertiser trying to use it to show people stuff that they don't want to see. This is the reason why we need ad-blockers, and it's something that advertisers arguing against blocking don't seem to want to admit.
Not really a flaw... (Score:5, Informative)
So this doesn't work for apps downloaded from the iOS app store. For the vulnerability to work, you first have to download and install an Enterprise certificate, then you have to download and install an infected app from a specific third party website signed with that Enterprise certificate. This isn't really a vulnerability, this is the specific application path for installing custom enterprise apps at your private business. Don't go around installing unknown junk and you'll be fine.
Re: (Score:1)
Where on earth did you get that idea from what GP said?
Re: (Score:1)
He's a troll. Everybody who argues for microsoft products on slashdot is a troll. Even if windows is miles better than Loonix or OS X "El Crapitan".
As somebody who sees the truth, you either have to live with the extremely biased modder situation on this stupid site, or leave it forever.
Re: Not really a flaw... (Score:1, Insightful)
The app was "signed" and it didn't matter. Malware leaked in. Apple's method of securing appspace for the enterprise failed.
Re: (Score:3)
How is this even news?
Because haters gotta hate, and Ol' Slashdot needs the Clicks.
Next question?
Re: Not really a flaw... (Score:5, Informative)
Actually, this is by design
One of the reasons for having the Enterprise certificate is to distribute apps without Apple approval. Because Apple can't really test, and enterprises really don't want to go through the hassle of having every line of business app approved.
So Apple always has offered an "out" - a way to get non-Apple-approved apps onto devices. Apple calls it their Enterprise program, where you guy a $500 (yearly) certificate from Apple, and that will let you self-sign apps and install them on devices that install the appropriate provisioning file.
So first, the provisioning file is installed (which also lets enterprises set key rules like lock screen password or PIN security and other policies). Then you can install apps signed by the same certificate.
It's not a big surprise that malware authors would use it, but for most normal users, such certificates often come by if you want to use pirated apps (there are plenty of sites out there selling you "re-signing" services for like $25 a year - they will sign cracked apps for you to install on your device).
In short, to install this malware - 1) You need to install the mobile provisioning certificate - a web page cannot do it, as the user must tap "OK" to actually install it. A user can list and view such provisioning certificates at will. They self-expire after a year.
2) You need to download the affected app, that's signed with the same certificate as the provisioning file. (So one company's apps cannot be installed via some other company's certificate).
3) The certificate hasn't been revoked.
The enterprise system is working exactly as designed
Re: (Score:3)
It's even harder to accidentally install enterprise certificates in iOS 9.
http://researchcenter.paloalto... [paloaltonetworks.com]
Re: (Score:1)
As someone who develops iOS apps for an enterprise I agree with this. Distributing/maintaining enterprise apps for iOS is kind of painful. The things that make it painful are the things that make it safer for the end user so can't really come to this guys conclusion from the article.
Enterprise users who get patches are just fine (Score:3)
In other words, Apple products are not well designed for use in the enterprise market.
Actually if you have a somewhat recent update, iOS 8.4 or 9.0 then the exploit is fixed. So enterprise users who get patches are just fine.
Re: (Score:3)
To elaborate, iOS 8.3 fixed the silent install issue, iOS 8.4 fixed the other issues, iOS 9 made it significantly more difficult to trick people into approving enterprise certificates.
Re: (Score:2)
Re: (Score:2)
It is a vulnerability; it is one that may not hit everyone.
Well, yeah. It's a vulnerability that effects all OS, because VEBTSAC.
Re: Not really a flaw... (Score:1)
Same as Android malware then!
Re: (Score:2)
Exactly. Apple has released an official response to the issue already as well:
This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources. We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps.
So, basically, to be impacted by this, a user would have avoided the freely available OS updates for the last four months (despite the OS prompting them to update periodically), opted-in to trusting an enterprise certificate that isn't associated with where they work (despite the OS' dire warnings about trusting enterprise certificates in general), and would have then needed to separately download the untrustworthy apps (again, de
And fixed in recent iOS versions ... (Score:2)
Revoke the certificate (Score:5, Insightful)
YiSpecter's malicious apps were signed with three iOS enterprise certificates issued by Apple so that they can be installed as enterprise apps on non-jailbroken iOS devices via in-house distribution.
So Apple should revoke the certificate. Why is this a problem? What makes this newsworthy? What am I missing?
It should surprise nobody that malware makers find security holes. Apple is no exception. But the entire point of certificates is that they can be revoked in the event there is a problem. Revoke the certificate which should then disable the app. If it doesn't work this way then something is wrong and the certificate is pointless.
Re:Revoke the certificate (Score:5, Informative)
That even though this is still just someone running an untrusted binary, let's put that it affects unjailbroken iphones so people who just read the title will be scared and move to android?
Re: (Score:2)
Also note that iOS 9 requires the user to authorize the installation.
Re: (Score:2)
Why did you even mention "user to authorize the installation" even mentioned? That has not been an acceptable excuse for those platforms, why change now?
The user needs to authorize the installation (of an enterprise certificate into the iOS devices certificate trust store). I mention it because the article mentions it, and it is pretty much counter to what the Slashdot summary implies.
It almost looks like everyone's so hot for a real exploit that these 'rogue certified applications' and their developers are getting overblown.
Ultimately, the solution is al the same. Apple adds the rogue cert(s) to their CRL. Done.
A certificate that isn't used is pointless (Score:1)
You're new here, aren't you?
Check my userid. Some have been here longer but unless you are being ironic the answer is no I'm not new here.
You know how many threads there are defending / promoting the notion that i devices are impervious to malware / viruses?
Yes I am aware. Yes their arguments are generally idiotic.
Also, it's possible once the malware gets a hold of the system, it might block actions.
If that it is true then that is a huge flaw in the system which Apple needs to correct as soon as possible. I understand that such a scenario is possible but I also understand that it is correctable. If some software needs to break to improve security then so be it.
It's an enterprise certificate, so those companies want more control over what goes in and out -- they don't want mission critical software to be suddenly removed because someone at APL bungled something.
Doesn't matter. If there is a security flaw where a certificate has been
Re: (Score:3)
Doesn't matter. If there is a security flaw where a certificate has been compromised then the only correct response it revoke the certificate. Yes this could be highly inconvenient but the danger of not revoking the certificate and disabling the vulnerability is worse. A certificate that isn't revoked when necessary is worse than useless. If the danger does not justify a certificate then what is the point of issuing one in the first place?
Indeed. In this case, it appears that the owner of the certificate (Yingmob Interaction Technology Co) is the author of the malware. Apple will likely revoke the certificate, revoke their developer credentials, blacklist/flag the developers that are on the corporate account, and seek civil penalties.
If the cert belonged to a big enterprise company like HP/IBM, you're still absolutely correct. Apple would revoke the certificate, and HP/IBM would thank them and apologize for their ineptitude at keeping th
Re: (Score:2)
"You know how many threads there are defending / promoting the notion that i devices are impervious to malware / viruses?"
None. It is a strawman invoked here on /. only by Apple detractors.
Re: (Score:2)
You know how many threads there are defending / promoting the notion that i devices are impervious to malware / viruses?
...of which, 99% of them are sarcastic allusions to that "Assertion" posted by Apple Haters, NOT by Apple Users.
Prove me wrong.
Re: (Score:1)
Re: (Score:2)
I didn't see, where did the certificate come from in the first place?
Re: (Score:2)
They were revoked quite a while ago. The malware hails from 2014.
Re: (Score:2)
Jailbreak == security vulnerability (Score:5, Insightful)
Every now and then, I read a comment from someone about how Apple must "hate" the jailbreakers, because they keep closing off the flaws which make jailbreaks possible. The reality -- as effectively demonstrated in this instance -- is that the flaws which allow jailbreaks also just happen to open your phone up to malware. Apple is far more concerned with what a malicious entity might do to their customer base through these flaws, then with what the jailbreakers are doing to their own phones. Would, that more people understood this.
Re: (Score:2)
Every now and then, I read a comment from someone about how Apple must "hate" the jailbreakers, because they keep closing off the flaws which make jailbreaks possible. The reality -- as effectively demonstrated in this instance -- is that the flaws which allow jailbreaks also just happen to open your phone up to malware. Apple is far more concerned with what a malicious entity might do to their customer base through these flaws, then with what the jailbreakers are doing to their own phones. Would, that more people understood this.
Precisely!
Re: (Score:2)
Re: (Score:2)
Except this particular vulnerability has precisely nothing to do with jailbreaking. To the contrary, it's a flaw with Apple's own way for enterprise customers to install unapproved apps. ...
While your first sentence is reasonable, (but strictly speaking, does not actually negate anything I said, aside from implying a minimization of the relevancy of my comment) your second sentence is technically incorrect: The enterprise certs are working exactly as they were intended. The real issue is that a malicious entity happened to obtain access to such certs. So the questions are: How did they obtain the certs? And how can Apple prevent future compromises of this nature?
If we apply Hanlon's Razor, I'