{
	"id": "272e4ad8-9bd7-44e7-9d11-dbd5086b261a",
	"created_at": "2026-04-06T03:37:25.591536Z",
	"updated_at": "2026-04-10T13:11:59.862174Z",
	"deleted_at": null,
	"sha1_hash": "ef81e3cb9f55f0da29bea9277b6289eafba43805",
	"title": "YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4516492,
	"plain_text": "YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS\r\nDevices by Abusing Private APIs\r\nBy Claud Xiao\r\nPublished: 2015-10-05 · Archived: 2026-04-06 03:14:34 UTC\r\nSummary\r\nWe recently identified a new Apple iOS malware and named it YiSpecter. YiSpecter is different from previously seen iOS\r\nmalware in that it attacks both jailbroken and non-jailbroken iOS devices through unique and harmful malicious behaviors.\r\nSpecifically, it’s the first malware we’ve seen in the wild that abuses private APIs in the iOS system to implement malicious\r\nfunctionalities.\r\nSo far, the malware primarily affects iOS users in mainland China and Taiwan. It spreads via unusual means, including the\r\nhijacking of traffic from nationwide ISPs, an SNS worm on Windows, and an offline app installation and community\r\npromotion. Many victims have discussed YiSpecter infections of their jailbroken and non-jailbroken iPhones in online\r\nforums and have reported the activity to Apple. The malware has been in the wild for over 10 months, but out of 57 security\r\nvendors in VirusTotal, only one is detecting the malware at the time of this writing.\r\nYiSpecter consists of four different components that are signed with enterprise certificates. By abusing private APIs, these\r\ncomponents download and install each other from a command and control (C2) server. Three of the malicious components\r\nuse tricks to hide their icons from iOS’s SpringBoard, which prevents the user from finding and deleting them. The\r\ncomponents also use the same name and logos of system apps to trick iOS power users.\r\nOn infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it\r\ndownloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and\r\nopened pages, and upload device information to the C2 server. According to victims’ reports, all these behaviors have been\r\nexhibited in YiSpecter attacks in the past few months. Some other characteristics about this malware include:\r\nWhether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed\r\nEven if you manually delete the malware, it will automatically re-appear\r\nUsing third-party tools you can find some strange additional “system apps” on infected phones\r\nOn infected phones, in some cases when the user opens a normal app, a full screen advertisement will show\r\nYiSpecter is the latest in a line of significant malware families to target iOS devices. Previously, the malware WireLurker\r\ndemonstrated the ability to infected non-jailbroken iOS devices by abusing enterprise certificates, and academic researchers\r\nhave discussed how private APIs can be used to implement sensitive functionalities in iOS. However, YiSpecter is the first\r\nreal world iOS malware that combines these two attack techniques and causes harm to a wider range of users. It pushes the\r\nline barrier of iOS security back another step.\r\nMoreover, recent research shows that over 100 apps in the App Store have abused private APIs and bypassed Apple’s strict\r\ncode review. What that means is the attacking technique of abusing private APIs can also be used separately and can affect\r\nall normal iOS users who only download apps from the App Store.\r\nPalo Alto Networks has released IPS and DNS signatures to block YiSpecter’s malicious traffic. This blog also contains\r\nsuggestions for how other users can manually remove YiSpecter and avoid potential similar attacks in the future. Apple has\r\nalso been notified.\r\nBackground\r\nOn February 7, 2015, Qihoo 360 and Cheetah Mobile, two security companies in China, posted analysis reports separately\r\nabout a Windows worm named “Lingdun(灵顿)”. The Lingdun worm hijacked victims’ QQ sessions (a popular IM program\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 1 of 26\n\nproduced by Tencent) and sent malicious links to their QQ contacts. According to those reports, if a user clicked the\r\nmalicious links using Android or iOS devices, an Android Adware or an iOS Adware would be installed. Qihoo 360 and\r\nCheetah Mobile found the installed apps’ main behavior is to prompt other mobile apps and classify them as Android and\r\niOS variants of the Lingdun worm.\r\nFigure 1. Access Lingdun's webpage with an iPhone will infect  the device with YiSpecter\r\nAfter further investigation, however, we think their analysis is incomplete and has led to an incorrect conclusion. The iOS\r\napp spread by Lingdun and the malicious components it installs have different developers, different Command and Control\r\n(C2) servers, different purposes, and different code signing certificates. Therefore, we don’t believe them to be variants of\r\nthe Lingdun worm but instead separate malware using the Lingdun worm to spread. Additionally, we found these iOS apps\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 2 of 26\n\nhave many more malicious functions than previous disclosed. Hence we do not refer to this malware family as Lingdun and\r\nhave given it the new name YiSpecter.\r\nQihoo 360 and Cheetah Mobile didn’t share samples of YiSpecter with the security community nor did they disclose file\r\nhash values we could use to identify their samples. As a result, until now, no other security vendor has detected YiSpecter as\r\nmalware.\r\nIn the course of our investigation, we found 23 samples of YiSpecter were submitted to VirusTotal from different countries\r\nbetween November 2014 and August 2015. Except for Qihoo, the 56 antivirus engines included in VirusTotal didn’t detect\r\nthese files (as shown in Figure 2).  Qihoo’s detection result uses the meaningless name “virus.ios.hidden”. It is also worth\r\nnoting that all of these samples belong to YiSpecter’s main apps, and its three additional malicious components were not\r\nuploaded to VirusTotal until we published this report. All of these samples are listed at the end of this report.\r\nFigure 2. YiSpecter is not detected by nearly all AntiVirus programs\r\nUncommon Spreading Methods\r\nYiSpecter began to spread in the wild in November 2014, if not earlier. The main iOS apps of this malware have user\r\ninterface and functionality that enable the watching of free porn videos online, and were advertised as “private version” or\r\n“version 5.0” of a famous media player “QVOD”. QVOD was developed by Kuaibo(快播) and became popular in China by\r\nusers who share porn videos. Kuaibo was investigated by a local police department in April 2014 and at the same time their\r\nonline video playing service was terminated. After that event, the attackers behind YiSpecter began to claim their app as an\r\nalternative QVOD to attract users into installing their software.\r\nSo far we have identified four different mechanisms YiSpecter uses to infect phones.\r\nInternet Traffic Hijacking\r\nIn the past 6 years, many Chinese media organizations (including state television) have reported that local ISPs in some\r\nprovinces have supported DNS hijacking and Internet traffic hijacking attacks. ISPs hijacked the traffic to display\r\nadvertisements to their users. For example, when Internet users use their computers or mobile phones to browse a website,\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 3 of 26\n\nthe ISP will inject JavaScript code or HTML content into the session, which results in advertisements being displayed in the\r\nreturned webpage. Last year, we also observed that some ISPs replaced app download URLs with other apps. For example,\r\nif an URL ends with “.apk” (i.e. downloading an Android app), it will be redirected to different URL, downloading a\r\n“promoted” app onto the victims’ Android phones. YiSpecter, as far as we know, is the first malware that has been spread by\r\nISPs hijacking Internet traffic.\r\nMany users based in mainland China and Taiwan have discussed their infections by YiSpecter online (we will introduce\r\nthese discussions in next section.) From their discussions and reports, we found that more than half of the infections came\r\nfrom pop-up dialogs displayed when browsing famous news websites.\r\nFor example, Figure 3 shows a screenshot posted to Apple’s official support community. It shows that when the author was\r\nbrowsing ITHome.com, an abnormal pop-up dialog asked him to install a “QVOD Private Version” player to “watch special\r\nmovies”.\r\nFigure 3. Ads and pop-up dialog were injected into normal Internet traffic\r\nBased on the user’s discussions, we found the problem only occurred when they were using WiFi networks in their homes;\r\nmobile networks and office networks didn’t appear to be affected. Some non-jailbroken iPhone users tried to clear cookies,\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 4 of 26\n\nreset iOS, change their iCloud accounts, and block pop-ups in Safari, but these operations didn’t resolve the problem.\r\nHowever, if they used a third party mobile browser with built-in proxy functionality to access the same webpage, the\r\nadvertisements disappeared. One user even called his ISP’s service phone number to complain and the problem was resolved\r\n– these advertisements never appeared again. Based on this information, we believe that ISP’s traffic hijacking was used to\r\nspread the malware in these cases, and not a malicious third party.\r\nSNS Worm\r\nAccording to analysis reports by Qihoo 360 and Cheetah Mobile, YiSpecter was also spread by the Lingdun worm.\r\nLingdun uses fake VeriSign and Symantec certificates to bypass malware detection systems. Its primary goal is to download\r\nand to install additional Windows software onto a PC. Most of this additional software is benign but at least one installation\r\nwas malicious. The malware fetches the current user’s QQ authorization token by accessing Tencent’s unified login\r\ninterface, then acquires a key to access all QQ services. Specifically, it will access the QQ Discussion Group’s file sharing\r\ninterface to upload malicious HTML files. These HTML files have names including pornographic and sexually suggestive\r\nwords and will be shared with all other QQ users in the same discussion group.\r\nFigure 4. A malicious webpage uploaded by Lingdun worm\r\nIf other QQ users access these malicious HTML files, the webpage will determine their devices’ type by User-Agent value\r\nand distinguish Windows, Linux, Android, iOS (including iPhone and iPad), and Windows Phone. If the device is Android,\r\nthe session will be redirected to download an Android Adware that prompts the user to install other porn apps. If the device\r\nis an iPhone or iPad, the session will be redirected to download the YiSpecter malware (Figure 1).\r\nWe listed hash values of all public available samples of Lingdun worm at the end of this article.\r\nOffline App Installation\r\nDuring our investigation, we found that the main YiSpecter apps were also published on multiple underground app\r\ndistribution websites (Figure 5).\r\nIn an underground or “gray” mobile app ecosystem, mobile app developers (including malware authors) will post tasks of\r\ndistributing their apps to these kinds of websites. Distributors will then accept these tasks, and install the apps on other users\r\nphones to earn a promotion fee from developers. For example, some third-party mobile phone retailers and maintenance\r\nsuppliers will install apps on any mobile phone they can access; and mobile malware developers also install apps to earn\r\nincome from devices they have infected.\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 5 of 26\n\nFigure 5. YiSpecter apps were listed in underground app distribution websites\r\nFrom one of these websites (Figure 5), we see that many tasks to distribute YiSpecter were created in May 2015 and July\r\n2015. The promotion fee for one installation is between 1.80 and 2.50 RMB (about US $0.30 to $0.40.) These tasks’\r\ndescriptions also showed that the YiSpecter apps have a backend system to automatically track installations, thus distributors\r\ndo not need to provide screenshots to prove their successful infections.\r\nCommunity Promotion\r\nWe also found that YiSpecter’s author tried to directly promote their malicious apps on social networks and in public\r\ncommunities. For example, in a popular Chinese online forum, we found a user posted an article in January 2015\r\nrecommending the YiSpecter apps as good replacement for QVOD player. The user’s account name is “HaoYi Apple\r\nHelper(好易苹果助手)”, which is exactly the name of another product YiSpecter’s author developed. We will describe\r\nYiSpecter’s author in more detail in later sections.\r\nFigure 6. YiSpecter's author recommends the app in public forum\r\nAttacks and Victims\r\nWhile analyzing YiSpecter’s code, we searched for keywords related to its distribution channels and user interface in\r\nGoogle, and found many victims from mainland China and Taiwan discussing their infections in online forums and social\r\nnetworks including Zhihu, Douban, Weiphone, CocoaChina, Baidu Zhidao and Mobile01.\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 6 of 26\n\nFor example, one malicious component in YiSpecter shows an interface containing the words “Cydia is detecting and\r\nprotecting” in Chinese (Figure 25). Google showed about 2,580 results by searching for this Chinese sentence (Figure 7).\r\nFigure 7. Search for YiSpecter's user interface keyword\r\nBased on these search results, we found some interesting facts about the malware:\r\nWhether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed\r\nEven if you manually delete the malware, it will automatically re-appear (Figure 8)\r\nUsing third-party tools you can find some strange additional “system apps” on infected phones\r\nOn infected phones, in some cases when the user opens a normal app, a full screen advertisement will show\r\nWe explain the details of how this happens in the malicious behaviors analysis section below.\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 7 of 26\n\nFigure 8. Taiwanese victim writes that the malware reappeared aafter deleting\r\nYiSpecter Components and C2 Server\r\nYiSpecter consists of four different components: various main apps that are distributed through the means described earlier,\r\nand three different malicious apps that are installed by these main apps. All samples analyzed and discussed in previous\r\nresearch are the various main apps, while the three malicious apps have not been revealed before.\r\nMain Apps\r\nAs far as we know, there are at least two main apps distributed in the wild thus far:\r\nHYQvod (bundle id: weiying.Wvod)\r\nDaPian (bundle id: weiying.DaPian)\r\nBoth of them were spread by one or more of the multiple ways described earlier. They include the functionality of watching\r\nvideos online by consuming credits and users can get credits by installing additional iOS apps it promotes (Figure 9). But\r\nmost important, it will download and install another malicious app we have named NoIcon.\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 8 of 26\n\nFigure 9. Main app ask users install other iOS apps to earn credits\r\nNoIcon\r\nNoIcon (bundle id: com.weiying.hiddenIconLaunch) is the main malicious component of YiSpecter. It takes the following\r\nactions on an infected device:\r\nConnect to the command and control server using HTTP\r\nUpload basic device information\r\nRetrieve and execute remote commands\r\nChange the iOS default Safari configuration\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 9 of 26\n\nSilently install two additional malicious apps “ADPage” and “NoIconUpdate”\r\nMonitor other installed applications and hijack their launch routine to use “ADPage” to display advertisements\r\nAdditionally, NoIcon can be remotely controlled to download and install arbitrary iOS apps from the C2 server or uninstall\r\nany existing apps in iOS system.\r\nADPage\r\nADPage (bundle id:  com.weiying.ad) is responsible for displaying advertisements when NoIcon hijacks the execution of\r\nlegitimate apps.\r\nNoIconUpdate\r\nNoIconUpdate (bundle id: com.weiying.noiconupdate) regularly checks for other components’ existence, connects with the\r\nC2 server and report its installation information. It also checks for updated versions of the malware and installs them.\r\nC2 Server\r\nYiSpecter uses “bb800.com” as its C2 server’s domain name. In VirusTotal, there are 38 records of subdomains under this\r\ndomain name. Sixteen of them have been used by Android Adware for years, e.g., ad.bb800[.]com and down.bb800[.]com.\r\nAnother subdomain, ty1.bb800[.]com, was used by a Windows virus Almanahe.B.\r\nYiSpecter uses these subdomains:\r\niosnoico.bb800[.]com: used to upload information, download configs and commands, download malicious\r\ncomponents (Figure 10)\r\nqvod.bb800[.]com: used to download main app\r\nqvios.od.bb800[.]com: used to download main app\r\ndp.bb800[.]com: used to download promoted iOS apps\r\niosads.cdn.bb800[.]com:  used to download promoted iOS apps and malicious components\r\nNote that the main C2 subdomain, iosnoico.bb800[.]com, is not observed in VirusTotal and also has no results in Google\r\nsearches.\r\nFigure 10. C2 server access logs in cache in a victim's iPhone\r\nIn some online articles, YiSpecter’s author posted URLs like “https://qvod.bb800[.]com/itms-services/jx152” for readers to\r\ndownload its main apps. When accessing these URLs from iPhone or iPad, victims are redirected to URLs like “itms-services://?action=download-manifest\u0026url=https://qvod.bb800.com/assets/upload/3794.plist”. Here “itms-services://” is a\r\nprotocol used by iOS for enterprise app distribution (Figure 11). Through crawling these URLs, we found at least 102\r\nversions of main apps that developed from Nov 2014 to Sep 2015.\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 10 of 26\n\nFigure 11. PLIST file hosted by C2 server for YiSpecter's installation\r\nMalicious Behavior Analysis\r\nIn this section, we’re going to describe the malicious behaviors seen in each component of YiSpecter. The samples we\r\nanalyzed are listed in the Appendix and will be shared with security community for research and detection.\r\nAbusing Enterprise Certificates\r\nYiSpecter’s malicious apps were signed with three iOS enterprise certificates issued by Apple so that they can be installed as\r\nenterprise apps on non-jailbroken iOS devices via in-house distribution. The “main” apps used a certificate for “Changzhou\r\nWangyi Information Technology Co., Ltd.” and then later used a certificate from “Baiwochuangxiang Technology Co., Ltd.”\r\nThe three malicious components all used the same certificate belonging to “Beijing Yingmob Interaction Technology co,\r\n.ltd” (Figure 12).\r\nFigure 12. NoIcon used enterprise certificate for YingMob Interaction\r\nThrough this kind of distribution, an iOS app can bypass Apple’s strict code review procedures and can invoke iOS private\r\nAPIs to perform sensitive operations. There is one disadvantage to using this method for installation compared to the official\r\nApp Store: when these apps are executed for the first time iOS displays a dialog to notify the user that the apps are from a\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 11 of 26\n\nspecific developer (Figure 13). However, many iOS users may simple click “Continue” and not be aware of the security\r\nimplications of their choice.\r\nNote that, in Apple’s just-released iOS 9, enterprise certificate security has been improved. Users now must manually set a\r\nrelated provisioning profile as “trusted” in Settings before they can install Enterprise provisioned apps.\r\nFigure 13. iOS displays a dialog the first time a user opens an enterprise-signed app\r\nThe enterprise distribution program was designed for companies and organizations to distribute private iOS apps internally.\r\nWireLurker and YiSpecter’s usages obviously violate the license and the spirit of this program.\r\nInstalling Malicious Apps\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 12 of 26\n\nEach time a user opens the main app of YiSpecter, it will invoke the[HYOwner checkI0S8_3AndJaikbreakOrNot] function.\r\nThis function checks whether the current iOS system is older than version 8.3 and then determines if NoIcon is already\r\ninstalled. After that it checks whether the device is jailbroken or not by attempting to access a “cydia://” URL.\r\nIf the infected device has an iOS version less than 8.3, and NoIcon hasn’t been installed yet, whether the device is jailbroken\r\nor not, YiSpecter will invoke the function [HYAppDelegate requestNoicon:] to download the NoIcon IPA installer and\r\nPLIST manifest files (Figure 14).\r\nFigure 14. Main app downloads NoIcon for both jailbroken or non-jailbroken devices\r\nThe main app installs NoIcon in a unique way. The app opens an HTTP server and listens on port 8080 using\r\n[HYAppDelegate createLocalHTTP Server] (Figure 15). After downloading the NoIcon’s IPA and PLIST files, it will use\r\nthese files’ local path to construct a local HTTP URL and displays an alert dialog with meaningless title and button text to\r\nthe user (Figure 16). If the user clicks the button in the dialog, the HTTP server will handle the local HTTP URL and NoIcon\r\nwill be installed using the itms-service protocol. With this mechanism YiSpecter uses the infected iOS device as an\r\nenterprise apps’ distribution server.\r\nFigure 15. Main app launched a local HTTP server\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 13 of 26\n\nFigure 16. Main app construct NoIcon installation URL and prompt alert dialog\r\nAfter NoIcon is installed, it will install two more malicious apps: ADPage and NoIconUpdate. After downloading ADPage\r\nand NoIconUpdate’s IPA installer files, NoIcon did not use an HTTP server like the main app, but used iOS’s private APIs\r\ndefined in private framework MobileInstallation to install them (Figure 17). More specifically, NoIcon invokes the\r\nMobileInstallationInstall methods implemented in the framework to install local IPA file. It also claimed the necessary\r\nprivate entitlement key “com.apple.private.mobileinstall.allowedSPI” which should only be used by system apps in iOS\r\n(Figure 18). Again, through enterprise distribution, YiSpecter successfully bypassed the App Store’s code review process\r\nthat typically would prevent an app from using these private APIs.\r\nNote that NoIcon, ADPage, and NoIconUpdate are signed with same enterprise certificate. Since user has accepted the\r\nprovisioning profile when installing NoIcon, ADPage and NoIconUpdate can be installed in this way without any user\r\nnotification.\r\nFigure 17. NoIcon downloads ADPage's IPA file and installs it\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 14 of 26\n\nFigure 18. NoIcon has private entitlement for app installation\r\nUninstalling Existing Apps\r\nNoIcon has another functionality called “fakeApps”. If it receives this command from the C2 server, it will uninstall the iOS\r\napp specified in the commands from current device (Figure 19). Then, it will install another downloaded app as a fake\r\nversion to trick the user. This uninstallation operation is also implemented using a private API -- the\r\nMobileInstallationUninstall defined in the MobileInstallation framework.\r\nFigure 19. NoIcon uninstall specified app in fakeApps command\r\nSelf Monitoring and Updating\r\nThe NoIconUpdate will regularly check whether all these malicious components are installed, then connect with YiSpecter’s\r\nC2 server to check for updates. This is why some victims deleted the main app and NoIcon but the malware still remained\r\non the phone.\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 15 of 26\n\nFigure 20. NoIconUpdate checks installed components' version\r\nAdditionally, NoIconUpdate will regularly check whether NoIcon is running. If not, it will launch NoIcon immediately.\r\nFigure 21. NoIconUpdate checks running status and launches NoIcon\r\nHiding Icon in SpringBoard\r\nNoIcon, ADPage and NoIconUpdate use a trick to hide their icons from SpringBoard (the desktop in iOS.) In their Info.plist\r\nfile, the “SBAppTags” key contains a value of “hidden” (Figure 22).  Any app with this characteristic will not be shown in\r\nSpringBoard, hence the user won’t see its icon and its name. This mechanism is used by some preinstalled apps for testing\r\nand diagnostics on the iOS system. In February 2015, an iOS Spyware XAgent (aka PawnStorm) also used this trick.\r\nFigure 22. Part of NoIcon's Info.plist file\r\nThis icon hiding behavior is critical to YiSpecter’s success. Without being able to see the icon, users not only can’t discover\r\nthese malicious apps, but also have no way to uninstall them (because uninstalling an iOS app requires the user to long click\r\nthe app’s icon in SpringBoard). This behavior is likely why YiSpecter’s named the component “NoIcon.”\r\nPretending to be System Apps\r\nEven though icons are hidden from the SpringBoard, YiSpecter’s author still has considered power users who may use third-party tools to manage iPhones or iPads. The author used special display app names and logos for these three apps to make\r\nthem look like iOS system apps. The table below shows the display name and icon of three samples we analyzed. As far as\r\nwe know, YiSpecter has pretended to be the Phone, Weather, Game Center, Passbook, Notes and Cydia apps. While this is a\r\nsimple trick, it may be effective at fooling some users.\r\nComponent Bundle ID Displayed App Name Faked App Logo\r\nNoIcon com.weiying.hiddenIconLaunch Passbook\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 16 of 26\n\nADPage com.weiying.ad Cydia\r\nNoIconUpdate com.weiying.noiconupdate Game Center\r\nHijacking Other Apps Execution to Show Ads\r\nNoIcon will also regularly check which iOS app the user has open. This is implemented by using the private API function\r\nSBSCopyFrontmostApplicationDisplayIdentifier defined in the SpringBoardServices framework. NoIcon receives an\r\nallowlist of apps from C2 server and checks if the currently running app is on this list, which contains YiSpecter’s\r\ncomponents and apps built by Apple. If the app isn’t in the list, NoIcon will launch the ADPage app by executing another\r\nprivate API function: SBSLaunchApplicationWithIdentifier.\r\nFigure 23. NoIcon compares current running app with allowlist\r\nFigure 24. NoIcon launch ADPage to cover other apps user interface\r\nThe launched ADPage will show a full screen with words “Cydia is detecting and protecting” in Chinese (Figure 25), then\r\ndisplay some advertisements provided by third-party mobile ads platforms. Through this mechanism NoIcon and ADPage\r\nsuccessfully hijacked other iOS apps’ execution and show its advertisements to victims. This is the most significant behavior\r\nreported by victims, as it is disruptive to their regular use of iOS devices.\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 17 of 26\n\nFigure 25. ADPage's full screen before displaying advertisement\r\nChanging Safari Configurations\r\nAnother feature of NoIcon allows it to change Safari browser’s configurations on jailbroken devices by directly writing to\r\nlocal configuration and database files.\r\nIf NoIcon receives a specific command from the C2 server, it will enumerate all subdirectories in the\r\n“/var/mobile/Applications” directory to find a “Preferences/com.apple.mobilesafari.plist” file. Thus, it can identify the Safari\r\napp’s home directory.  It then modifies this plist file to change Safari’s default search engine to a specified one between\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 18 of 26\n\nGoogle, Bing, Yahoo and Baidu (Figure 26). However, in a nearby piece of code, we found that Baidu was specifically hard\r\ncoded as target search engine in some situations (Figure 27).\r\nFigure 26. NoIcon locates Safari's config file and change default search engine\r\nFigure 27. NoIconHard-coded to change default search engine to Baidu\r\nAdditionally, NoIcon changes Safari’s bookmarks database to update all existing bookmark URLs to the URL that specified\r\nby C2 server. It will also write Safari’s SuspendStates.plist file to change all latest opened webpages’ URLs to the specified\r\nURL.\r\nNote that all these behaviors also occurred according to victims’ reports posted in online forums.\r\nFigure 28. Change URLs in all existing bookmarks\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 19 of 26\n\nFigure 29. Change URLs in latest opened pages\r\nCollecting and Uploading Device Information\r\nAll of the malicious YiSpecter apps collect some device information and upload it to the C2 server, including:\r\nA los of installed iOS apps; by invoking the private API MobileInstallationLookup;\r\nA list of running processes by invoking sysctl;\r\nThe device UUID;\r\nThe device MAC address, by invoking sysctl.\r\nWho’s Behind YiSpecter?\r\nThere is a lot of evidences that suggests YiSpecter was developed by a company named “YingMob Interaction (微赢互动)”.\r\nFor example, three of four components are signed by YingMob Interaction’s enterprise certificate. In the NoIconUpdate’s\r\ncode, we even found a README.md which names the company in the app’s release notes. YiSpecter’s C2 server has hosted\r\nsome websites belonging to YingMob. For example, if we directly visit the subdomain for YiSpecter’s downloading,\r\nqvod.bb800[.]com, we can find it’s an “WAP iOS Traffic Platform Backend Management System” with copyright\r\ninformation of YingMob Interaction.\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 20 of 26\n\nFigure 30. README.md in the NoIconUpdate\r\nFigure 31. YiSpecter's C2 server page has YingMob Interaction's copyright info\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 21 of 26\n\nFigure 32. YingMob Interaction official website\r\nYingMob Interaction’s official website shows it’s a Chinese mobile advertisement platform. In addition to YiSpecter we\r\nfound the company also developed an iOS “helper” tool named “HaoYi Apple Helper(好易苹果助手)”. The tool was later\r\nrenamed to “Fengniao Helper(蜂鸟助手)”. The tool’s website is http://zs.haoyi.com/ but there’s another subdomain\r\nhttp://zs.od.bb800.com in YiSpecter’s C2 domain that is redirected to zs.haoyi.com. The helper tool says it can help users\r\ninstall all paid iOS apps in the App Store without jailbreaking, and it will give Apple IDs to users as presents to avoid\r\nregistration in Apple. These functionalities are similar to what the iOS Trojan KeyRaider did earlier this year. Based on\r\nvictims’ discussions, we found that YiSpecter will frequently ask users to install this helper tool.\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 22 of 26\n\nFigure 33. Fengniao Helper developed by YingMob Interaction\r\nRelationship between YiSpecter and XcodeGhost\r\nIn September 2015, we initially investigated an OS X and iOS malware named XcodeGhost. By infecting Xcode, this\r\ncompiler malware was successfully compiled into thousands of iOS apps in the App Store and affected hundred of millions\r\nusers.\r\nWhile YiSpecter and XcodeGhost both attacked non-jailbroken iOS devices, they are not related to each other. We believe\r\nthat YiSpecter and XcodeGhost were developed by different attackers and there is no evidence of cooperation between the\r\ntwo developers so far.\r\nHowever, from technical perspective, it’s still interesting to discuss potential connections between them.\r\nFirst, we explained that XcodeGhost could be remotely controlled by attackers to open arbitrary URLs, including opening a\r\nURL to ask a user to install any app signed by enterprise certificate. Hence, XcodeGhost could be another way to distribute\r\nmalware like YiSpecter. In fact, not only XcodeGhost but also other legitimate iOS apps in the App Store can also do this.\r\nSecond, we explained that XcodeGhost collects system and app information and uploads it to its C2 server. People may be\r\ncurious why the malware collects this data for. YiSpecter also exhibits this behavior but it also silently installs additional\r\napps, which XcodeGhost does not.\r\nIn the underground ecosystem, when someone distributes apps for a fee they typically need some evidence to prove they\r\nwere successful. For example, after YiSpecter silently installs other apps or games, the attacker could provide related devices\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 23 of 26\n\nand app information to paying developers in order to collect his or her fee. Given that XcodeGhost didn’t install other apps\r\nbut uploaded that information by default, we suspect that XcodeGhost may have been scamming other underground\r\ndistributors by collecting the evidence of installation but not actually performing it.\r\nSecurity Risks and Related Threats\r\nThe world where only jailbroken iOS devices were threatened by malware is a thing of the past. WireLurker proved that\r\nnon-jailbroken iOS devices can also be infected through abuse of the enterprise distribution mechanism. YiSpecter further\r\nshows us that this technique is being used to infect many iOS devices in the wild.\r\nThe key techniques deployed in YiSpecter are bypassing App Store reviews using enterprise distribution and abusing iOS\r\nprivate APIs to perform sensitive operations. This method has been discussed in some top academic conference papers in\r\nrecent years (e.g., Tielei Wang et al in USENIX Security 2013, Min Zheng et al in AsiaCCS 2015, and Zhui Deng et al in\r\nCCS 2015.) However, YiSpecter is the first iOS malware in the wild that adopted this technique to launch a wide range\r\nattacks. This attack vector breaks Apple’s security mechanisms and is likely to be abused in future attacks.\r\nFor years Apple has searched for privates APIs used in apps submitted to the App Store and rejected the apps found using\r\nthem. However, except for enterprise distribution, there’re still some ways to bypass this security check.\r\nIn the Objective-C language, invoking a method of an Objective-C object is not implemented through a virtual table as in\r\nC++. Objective-C uses a central message forwarding mechanism to handle method invoking where class name and method\r\nname are passed as string format parameters. Hence, a malware author can directly invoke the message forwarding functions\r\nsuch as objc_msgSend with obfuscated or encrypted class name and method name strings to use private APIs. Apple’s code\r\nreview is not strong enough hence apps using private APIs in this way will bypass their review and go to the App Store.\r\nIn fact, in one academic paper “iRiS: Vetting Private API Abuse in iOS Applications” in the coming ACM Conference on\r\nComputer and Communications Security (CCS 2015), researchers Zhui Deng et al from Purdue University successfully\r\ndiscovered 146 iOS apps from the App Store that abused 150 different private APIs including 25 APIs that are security\r\ncritical. These occupied about 7 percent of all apps they analyzed. Note that they even found a third-party advertisement\r\nlibrary that abused private APIs to collect private user information.\r\nThis observation is significant, because as a community, many of us have considered Apple’s code review on private APIs\r\ngood enough and that abusing private APIs can only be successful if combined with enterprise distribution (like in the case\r\nof the YiSpecter.) Though this research, we now know that abusing private APIs in the iOS system could be an independent\r\nattack technique and could affect all iOS users.\r\nPrevention and Removal of YiSpecter\r\nPalo Alto Networks has released IPS signatures (14861,14862,14863) via our Threat Prevention product to detect and block\r\nall malicious C2 traffic related to YiSpecter. We have also released signatures to detect the queries for the C2 domains used\r\nby the malware.\r\nWe have also reported the YiSpecter threat to Apple for them to revoke the abused enterprise certificates. (As noted above,\r\nthe new iOS 9 requires users to manually set related provisioning profile as trusted in Settings before they can install\r\nEnterprise provisioned apps. This new feature is also helpful for preventing some security incidents caused by abusing\r\nenterprise certificates.)\r\nFor iOS users that are potentially infected by YiSpecter, we suggest removing it with the following steps:\r\n1. In iOS, go to Settings -\u003e General -\u003e Profiles to remove all unknown or untrusted profiles;\r\n2. If there’s any installed apps named “情涩播放器”, “快播私密版” or “快播0”, delete them;\r\n3. Use any third-party iOS management tool (e.g., iFunBox, though note that Apple’s iTunes doesn’t work in this step)\r\non Windows or Mac OS X, to connect with your iPhone or iPad;\r\n4. In the management tool, check all installed iOS apps; if there’re some apps have name like Phone, Weather, Game\r\nCenter, Passbook, Notes, or Cydia, delete them. (Note that this step won’t affect original system apps but just delete\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 24 of 26\n\nfaked malware.)\r\nOur primary security suggestion to avoid being affected by this kind iOS malware was, is and remains this: never download\r\niOS apps from any untrusted sources, and never trust unknown developers. You should always download iOS apps from the\r\nofficial App Store for personal use, or download your company or organization’s internal app under your IT department’s\r\nguidance. Consider that even apps from the App Store can also abuse private APIs for harmful operations, and that these\r\nsecurity habits won’t prevent all similar attacks but should prevent most of them. We have also made suggestions to Apple\r\nfor improving their code review procedures and urged them to improve iOS security mechanisms to defeat these potential\r\nsecurity problems.\r\nAppendix\r\nSamples of YiSpecter\r\n57cc101ee4a9f306236d1d4fb5ccb3bb96fa76210142a5ec483a49321d2bd603  ADPage\r\n4938b9861b7c55fbbe47d2ba04e9aff2da186e282f1e9ff0a15bbb22a5f6e0e7  ADPage.ipa\r\nfc55c5ced1027b48885780c87980a286181d3639dfc97d03ebe04ec012a1b677  DaPian\r\n5259854994945a165996d994e6484c1afc1c7e628cb5df2dc3750f4f9f92202e  DaPian.ipa\r\n7714dbb85c5ebcd85cd1d93299479cff2cc82ad0ed11803c24c44106530d2e2f  HYQvod\r\nddd16577b458a5ec21ea0f57084033435a46f61dc5482f224c1fe54f47d295bc  HYQvod.ipa\r\n8fa135fc74583e05be208752e8ce191060b1617447815a007efac78662b425d0  HYQvod_3.3.3\r\n526e1dc893629c00c017fbe62b53392cb26bc6b15947e7b8b7df10a62f40cbad  HYQvod_3.3.3.ipa\r\n41176825ba0627f61981280b27689a0c5cc6bfb310a408fa623515e6239b8647  NoIcon\r\n98e9e65d6e674620eccaf3d024af1e7b736cc889e94a698685623d146d4fb15f  NoIcon.ipa\r\ne7f071929a4304447cf638057d9499df9970b2a3d53d328a609f191a4bc29ffd  NoIconUpdate\r\n8873908061f9c8d563de26fe6fa671080a90a2d60f795cc0664ef686e1162955  NoIconUpdate.ipa\r\nSamples in VirusTotal\r\nSHA-256 Filename Submit Detec\r\n382b88b654d7c5149ce8e9813accb86fd58eb1c01d66f730774f27a14d6af06c HYQvod 11/18/14 1/55\r\n0a106551b950d312c3847889cb233cbdaaebbc55fc2d7b6deb37f493079aa419 qj238_HYQvod_18.ipa 11/18/14 1/52\r\n95c2b1fd5a9e0141e6c597771e832e6c6743713888bfad3d172c0180d650795b qj238_HYQvod_14.ipa 1/26/15 1/56\r\n487a442fa69be5fe701662976a2f9d16f7f1dc4b03d63b9a289a6395855b42d0 qvod2.4.0HYQvod_jx46.ipa 1/26/15 1/57\r\n63b4ff014e74bd0a31b16393d145d1332e963b2e17f07396529793a4f0cf8b48 qiumama_HYQvod_jx69.ipa 2/5/15 1/56\r\nfa8594384e119908ec4ea5e0af9597251f6de76a66c30682e36ca1f1d303c7a9 qiuchuanyi_HYQvod_jx48.ipa 2/26/15 1/57\r\nf2a478eb2674b65d602204b2df8fc5e715e22596b039f235f9dfa27c03bbaa9b 1420683505536.ipa 2/26/15 1/57\r\nca59d78e9d23a737054b70385060346a8e6afc4948cd84f97826deb05168c279 20150113205442561.ipa 2/26/15 0/57\r\naf338b0d35e532644850f9f5e00b6c67d6e08609cb9ef79d48e9f435f87366d0 qvod2.4.0HYQvod_6.ipa 2/26/15 1/57\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 25 of 26\n\n17c89f5a579ecc3f97914a0fdd8ed1305a3682e09a719f91716607c3d63eabdf qvod2.4.0HYQvod_5.ipa 2/26/15 1/57\r\n0e75378d2ee5a7b90696dd67efa0d06d619f7f29021a7f056ff5a0fe881f8d6e 20150203141304735.ipa 2/26/15 0/57\r\n55573153750d98938270d858ca220a4435ebcd1dac44388e5a59315e7811193c DaPian 2/27/15 0/57\r\n426f279a503a19d5c253621ad98f589d853270fd0a1ec54bf08ee55c1f647964 DaPian 2/27/15 0/57\r\nf1e527fba122f91e79e790ba519c0d161cb4959bb1c89d6c20cf8a141ef8f854 HYQvod 4/20/15 1/57\r\nbcb3d4a2960e76cc169bd80ff26c7973502ef11baf0d45d52534184f055003a1 HYQvod 4/20/15 1/56\r\n5fd7b3994fc95cd72e2c76607ed00f260783e02b6fdf228e1e4616ca1e8702be HYQvod 4/20/15 1/55\r\n0771302f113d9c64fca3988a31020afa0767d3e1b66a2e74f819fd62b80b8a5e HYQvod 4/20/15 1/57\r\n1d5eea2236a2a44fe0ff4e17491c37f04ffa4a0af9a4b09ecc463089e3f48f14 kuaibozqb.3987.ipa 4/26/15 1/56\r\n1d5eea2236a2a44fe0ff4e17491c37f04ffa4a0af9a4b09ecc463089e3f48f14 kuaibozqb.3987.ipa 5/12/15 1/57\r\n3404bbf56d81da355636371f2e84b3b83ead7d78384c1627db67c4a59c275285 Unknown 6/29/15 0/56\r\n04f69960b2e5fbd06f746e050c7a04e4ea9de67289fd82d3a85a92963aec387a Unknown 6/29/15 0/56\r\n363e58e1f489b6fade4975a54c02575e8832d95171b6b5646fd475d6a5f35ed9 HYQvod 7/25/15 0/56\r\nddd16577b458a5ec21ea0f57084033435a46f61dc5482f224c1fe54f47d295bc 1438074603284.ipa 8/18/15 1/56\r\nSamples of Worm.Win32.Lingdun\r\n2771276596981c0ff189c27e6869b147c3c3665fd8b94b14d68695ea6ea3d09d  inst.exe\r\n8d113243da8992220e73a2fd02ae28d209b326b191aeef95f3c8e223c1c6db96  leba99_setup_220041398.exe\r\n9e538a58aed94a7748df9262ae0343dea9efce8d9117e0868eb404e1098747b6  u.exe\r\n1607cf9625d7bf4ef39f8c1383fa0b1b1edcd13939d5d49fba5cdc14a73a2d95  ziyt.scr\r\n6bd56dd4cc6a97912531fcb8d9f79f814fd45c9e97600f170646308868b1097b  亲情视频秀.exe\r\na8456f50c47b5248a93bcaebd05cb07bbf61527d5c7537767df1aaabb64bad95  天使嫩女视频全集.msi\r\nAcknowledgements\r\nThanks CDSQ from WeipTech group for providing some samples of YiSpecter from an infected iPhone.\r\nThanks Josh Grunzweig and Bryan Lee from Palo Alto Networks for their suggestions on naming. (Finding a proper name is\r\nalways so hard!)\r\nThanks Rongbo Shao and Zhaoyan Xu from Palo Alto Networks for their efforts in detecting the threat.\r\nThanks Ryan Olson from Palo Alto Networks for reviewing and revising this report.\r\nSource: https://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/\r\nPage 26 of 26\n\nhttps://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/   \nFigure 30. README.md in the NoIconUpdate  \nFigure 31. YiSpecter's C2 server page has YingMob Interaction's copyright info\n  Page 21 of 26",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"
	],
	"report_names": [
		"yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis"
	],
	"threat_actors": [
		{
			"id": "45577352-1038-44a4-b111-44764d26a4b0",
			"created_at": "2022-10-25T16:07:24.591806Z",
			"updated_at": "2026-04-10T02:00:05.046659Z",
			"deleted_at": null,
			"main_name": "Yingmob",
			"aliases": [],
			"source_name": "ETDA:Yingmob",
			"tools": [
				"DroidPlugin",
				"Eomobi",
				"HummingBad",
				"HummingWhale",
				"Yispecter",
				"ZxxZ"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775446645,
	"ts_updated_at": 1775826719,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef81e3cb9f55f0da29bea9277b6289eafba43805.pdf",
		"text": "https://archive.orkl.eu/ef81e3cb9f55f0da29bea9277b6289eafba43805.txt",
		"img": "https://archive.orkl.eu/ef81e3cb9f55f0da29bea9277b6289eafba43805.jpg"
	}
}