New iOS malware in China hijacks apps and forces full-page ads in Safari

The new malware, which is making the rounds in China and Taiwan, offers ways to circumvent the government’s Internet censorship. It persuades users to download a private version of QVOD, a defunct media player used for sharing pornography and other illegal content in China. QVOD was shut down in 2014 after police raided the developer’s offices, but it is still incredibly popular in China’s underground Web as a portal to illegal content.

Once the app is downloaded, YiSpecter tricks iOS SpringBoard — the software that manages the on-screen icons on iOS — to stop users from uninstalling the app. It then blends into the background, hiding under one of the many system apps on iOS.

YiSpecter is able to “replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information,” according to Palo Alto Networks. A Chinese mobile advertising service was allegedly responsible for the malicious app.

Luckily, Apple acknowledged the problem quickly and removed the app.

“We advise customers to stay current and only download content from the App Store and trusted sources … This particular vulnerability was indeed fixed in iOS 9.0,” an Apple spokesperson said to CNET.

News of the YiSpecter attack follows last week’s Chinese malware panic, which was caused by several high-profile developers who used a faulty version of Xcode to build apps. Those apps have since been purged from the App Store and replaced with apps built on a legitimate version of Xcode.

The YiSpecter attack is another case that proves China’s wild west approach to app curation is not working. Without checks in third-party apps stores, it’s easy for malicious programs to bypass iOS security.