Skip to content

S0311 YiSpecter

YiSpecter is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. YiSpecter abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.1

Item Value
ID S0311
Associated Names
Version 2.0
Created 25 October 2017
Last Modified 20 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols YiSpecter has connected to the C2 server via HTTP.1
mobile T1577 Compromise Application Executable YiSpecter has replaced device apps with ones it has downloaded.1
mobile T1407 Download New Code at Runtime YiSpecter has used private APIs to download and install other pieces of itself, as well as other malicious apps. 1
mobile T1456 Drive-By Compromise YiSpecter is believed to have initially infected devices using internet traffic hijacking to generate abnormal popups.1
mobile T1628 Hide Artifacts -
mobile T1628.001 Suppress Application Icon YiSpecter has hidden the app icon from iOS springboard.1
mobile T1625 Hijack Execution Flow YiSpecter has hijacked normal application’s launch routines to display ads.1
mobile T1424 Process Discovery YiSpecter has collected information about running processes.1
mobile T1418 Software Discovery YiSpecter has collected information about installed applications.1
mobile T1409 Stored Application Data YiSpecter has modified Safari’s default search engine, bookmarked websites, opened pages, and accessed contacts and authorization tokens of the IM program “QQ” on infected devices.1
mobile T1632 Subvert Trust Controls -
mobile T1632.001 Code Signing Policy Modification YiSpecter has used fake Verisign and Symantec certificates to bypass malware detection systems. YiSpecter has also signed malicious apps with iOS enterprise certificates to work on non-jailbroken iOS devices.1
mobile T1426 System Information Discovery YiSpecter has collected the device UUID.1
mobile T1422 System Network Configuration Discovery YiSpecter has collected compromised device MAC addresses.1