Private API Exploitation

From ema
Jump to: navigation, search
EMA ID: ema-1071
Description: On iOS, private APIs can be abused in the iOS system to implement malicious functionalities.
Associated Behavior: persist after system reboot
Privilege Level: User space
Supporting Details:
Such malware can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to a C2 server.
The malware uses tricks to hide its icons from iOS’s SpringBoard, which prevents the user from finding and deleting it. The components also use the same name and logos of system apps to trick iOS power users.


Inherited Attributes:

applicable platform: iOS (unknown version), iOS 1.0.x, iOS 1.1.x, iOS 2.0.x, iOS 2.1.x, iOS 2.2.x, iOS 3.0.x, iOS 3.1.x, iOS 3.2.x, iOS 4.0.x, iOS 4.1.x, iOS 4.2.x, iOS 4.3.x, iOS 5.0.x, iOS 5.1.x, iOS 6.0.x, iOS 6.1.x, iOS 7.0.x, iOS 7.1.x, iOS 8.0.x, iOS 8.1.x, iOS 8.2.x, iOS 8.3.x, iOS 8.4.x
References:
Date Malware Family URL
October 4, 2015 YiSpecter http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/
YiSpecter https://www.theiphonewiki.com/wiki/Malware_for_iOS#YiSpecter_.28October_2015.29