For the first time in the history of Palo Alto Technologies researchers have found malware that can infect iPhones, which have not undergone operations jailbreak. Discovered malware attacks currently only users in China and Taiwan. The vector of infection is redirected traffic, the virus SNS roznoszony in a Windows environment, as well as offline installation with the active promotion of social networks. We know for sure that the software has been running for more than 10 months, but at the time of writing this report to detect them only one provider of anti-virus software (Quihoo) used by the portal VirusTotal. To circumvent security used a fake certificate.
The four components, corporate certificate
iOS does not allow you to install the software in any other way than by application store or by signing digital certificate as part of a corporate contract. Attackers have used the latter option, code signing false certificates Verisign and Symantec. Through the use of bugs in the programming interface API in iOS components are successively retrieved and installed on the server controlling a botnet. Three of these modules hide their icons, they do not appear on the SpringBoard – and that makes it difficult to remove the malware. In addition, these components use the same names and icons, as appropriate system applications, making it difficult to remove by advanced users. This is the first time in history already widespread interception of software that takes control of the jailbreak iPhones without surgery, with zero user interaction (automatically). The latest version of Apple iOS a bit reduced the risk of unauthorized installation of malicious software using stolen or counterfeit certificates, because now users have to manually set the trust for each profile property development.
See also:
Infection by malicious software YiSpecter after seeing a web page in Safari.
What can YiSpecter
YiSpecter infected phones can download, install and run virtually any software, it can replace existing applications to any legacy code, it can take over execution of the software to show ads, and change settings for Safari, such as search, bookmarks, and pages. Members also noted the automatic re-installing malware, even if it has been removed. This software was well protected by attackers – in the last year only 23 samples of this Trojan horse has been tested by the service VirusTotal.com.
False player pornography
The first reports of malicious software that infects the iPhone came from two vendors of security solutions in China – Qihoo 360 Cheetah Mobile. They reported on the QQ instant messaging session hijacking by a worm called Lingdun to direct callers to the site, which installed malware. The first version contained the same user interface as the popular Chinese QVOD player used mostly for watching pornographic materials. After closing sites and services served by QVOD by the Chinese police, malware creators presented their work as an alternative to the service.
Improving security in iOS9 – the user now has to approve the installation of the application. In the previous version of the system was run without any additional questions.
Burglars infection common in China have used the phenomenon of redirecting traffic by local suppliers by intercepting DNS (DNS hijacking). The method, which was originally used to display ads served to mass infection. As the researchers report Palo Alto Networks, many phones have been infected with YiSpecter only because Viewed dialogue pop-ups displayed by well known for their hand, looking them in the Wi-Fi connection.
The infection was also used worm SNS operating in a Windows environment that would intercept the token authentication QQ. He avoided detect, because it was signed a false certificate of Verisign and Symantec. Sent messages contain specially crafted link, leading directly to the server on which it was sent malicious software for Android and iPhone – depending on the system on the smartphone, which to this party combined.
An additional malware distribution site ‘ u was a “gray” part of the Internet, which published an unofficial apps for iOS. Some of these applications was later installed on phones from different vendors. The application was promoted in various social networking sites (Zhihua, Douban, Weiphone, CocoaChina, Baidu Zhidao and Mobile01), mainly as an alternative to the removed player QVOD Player.
Trash difficult to remove
YiSpecter is much more difficult to resolve than they appear. The software hides the icons from the SpringBoard, and therefore an ordinary user can not remove it completely. To further complicate removal, the developers anticipated the components of the virus hiding, pretending to be a variety of applications, such as Phone, Weather, Game Center, Passbook, Notes or Cydia. For removing malware is essential application that allows you to remove also the software that is not on the SpringBoard.
Subscribe to the Computerworld
Order now for free “
No comments:
Post a Comment