Skip to main content

Apple iPhones Attacked by Fake Porn App Malware

UPDATED 1 p.m. and 3 p.m. ET Monday with additional information from Apple.

Until now, you had to jailbreak an iPhone or iPad (or sync it with an infected Mac) to make it vulnerable to the same sort of Trojanized apps that plague Android users. But now, a newly discovered piece of malware known as YiSpecter can display ads on your iPhone's screen, steal information about your device and install other apps on most or all iOS devices.

Credit: wk1003mike/Shutterstock

(Image credit: wk1003mike/Shutterstock)

You don't need to jailbreak your iPhone or iPad for it to be vulnerable to YiSpecter. According to the Santa Clara, California-based security firm Palo Alto Networks, YiSpecter — currently spreading across the Chinese-speaking world — is baked inside a streaming-video app that promises free pornographic video content and installs through an unofficial side-loading process. 

MORE: Mobile Security Guide: Everything You Need to Know

YiSpecter installs on non-jailbroken devices by leveraging iOS enterprise certificates, which Apple issues to corporations that create in-house iOS apps for employee use, and the "private" application-program-interfaces (APIs) used by enterprise apps. It is currently functioning as not-terribly-malicious adware, Palo Alto Networks said, but has the power to do much more, including loading more malicious apps. YiSpecter will reappear if users attempt to delete it.

Palo Alto Networks also claims that YiSpecter is not alone in taking advantage of private APIs. Supposedly the team in charge of approving apps to be distributed in Apple’s iOS App store has allowed over 100 other API abusing apps to enter their digital retail shelves.

YiSpecter may in fact be the first clear-cut example of deliberately designed non-jailbroken iOS malware reported in the wild. Last year's WireLurker Trojan was arguably earlier, but iOS devices were infected by Wirelurker only after being connected via a USB cable to "trusted" Mac OS X computers that had already been infected by the same malware.

Last month's widely reported outbreak of possibly malicious apps in the official Apple App Store was due to a corrupted version of Xcode, Apple's software-development kit, being provided to Chinese developers.

Palo Alto Networks claims that YiSpecter is not alone in taking advantage of private APIs. The security firm said more than 100 apps that used private APIs not documented by Apple had been found in Apple's App Store.

According to Quartz, "a source close to the matter" (possibly an Apple employee) said the flaw exploited by YiSpecter has been patched in iOS 9. Apple did not immediately respond to a request for comment from Tom's Guide.

UPDATE: An Apple spokesman told Tom's Guide that iOS 9 did indeed patch the vulnerability use by the malicious app, and that the certificates used by the app had been revoked. The spokesman also said the flaw primarily affects iOS 8.3 and older.

UPDATE: Apple has released an official statement, which reads in full:

"This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources. We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps."