S0311 YiSpecter
YiSpecter is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. YiSpecter abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.1
| Item | Value |
|---|---|
| ID | S0311 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.0 |
| Created | 25 October 2017 |
| Last Modified | 20 April 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | YiSpecter has connected to the C2 server via HTTP.1 |
| mobile | T1577 | Compromise Application Executable | YiSpecter has replaced device apps with ones it has downloaded.1 |
| mobile | T1407 | Download New Code at Runtime | YiSpecter has used private APIs to download and install other pieces of itself, as well as other malicious apps. 1 |
| mobile | T1456 | Drive-By Compromise | YiSpecter is believed to have initially infected devices using internet traffic hijacking to generate abnormal popups.1 |
| mobile | T1628 | Hide Artifacts | - |
| mobile | T1628.001 | Suppress Application Icon | YiSpecter has hidden the app icon from iOS springboard.1 |
| mobile | T1625 | Hijack Execution Flow | YiSpecter has hijacked normal application’s launch routines to display ads.1 |
| mobile | T1424 | Process Discovery | YiSpecter has collected information about running processes.1 |
| mobile | T1418 | Software Discovery | YiSpecter has collected information about installed applications.1 |
| mobile | T1409 | Stored Application Data | YiSpecter has modified Safari’s default search engine, bookmarked websites, opened pages, and accessed contacts and authorization tokens of the IM program “QQ” on infected devices.1 |
| mobile | T1632 | Subvert Trust Controls | - |
| mobile | T1632.001 | Code Signing Policy Modification | YiSpecter has used fake Verisign and Symantec certificates to bypass malware detection systems. YiSpecter has also signed malicious apps with iOS enterprise certificates to work on non-jailbroken iOS devices.1 |
| mobile | T1426 | System Information Discovery | YiSpecter has collected the device UUID.1 |
| mobile | T1422 | System Network Configuration Discovery | YiSpecter has collected compromised device MAC addresses.1 |