S0311: YiSpecter
Analyst context for executives and security teams
YiSpecter matters because it represents mobile malware behavior across iOS and Android, including abuse of private iOS APIs and activity against both jailbroken and non-jailbroken iOS devices. For leaders, the practical issue is whether mobile endpoints are visible enough to prove what is installed, what code runs after installation, what data apps can access, and whether suspicious web-based command traffic or hidden applications would be noticed before mobile access becomes an investigation blind spot.
Executive priority
Prioritize this as a mobile visibility and governance risk rather than a single malware-only problem. The ATT&CK relationships show behaviors tied to runtime code download, application and system discovery, stored application data access, web-protocol communications, drive-by compromise, application executable compromise, execution flow hijacking, icon suppression, and code signing policy modification. Executives should ask whether mobile device management, mobile threat defense, app inventory, code-signing controls, and incident response procedures produce usable evidence for Android and iOS devices, especially for regulated users, executives, and users with access to sensitive business applications.
Technical view
SOC, detection engineering, and IR teams should validate coverage around the related mobile techniques rather than depend on a YiSpecter-specific signature. Key checks include whether Android and iOS telemetry can show unexpected app installation or persistence, hidden or suppressed application presence, runtime code loading, app inventory and process discovery activity, device and network configuration collection, access to stored application data, and HTTP/HTTPS communications to unusual infrastructure. Because ATT&CK provides no official detection text for this object, local validation should be based on mobile platform logs, MDM/MTD events, network telemetry, and forensic collection capability.
Likely telemetry
- Mobile device management inventory for installed applications, OS versions, device posture, jailbreak/root indicators where available, and code-signing or profile state
- Mobile threat defense or endpoint mobile security alerts for suspicious app behavior, hidden apps, dynamic code loading, and anomalous permissions or API use
- Android and iOS application inventory and installation/removal history
- Network telemetry for mobile devices, especially HTTP/HTTPS destinations, timing, and unusual beacon-like web protocol usage
- Mobile forensic artifacts showing application data access, app directories, process/application enumeration, and configuration discovery
Detection direction
- Build detections and hunting logic around the mapped techniques: runtime code download, software/process/system/network discovery, stored application data access, web-protocol communications, drive-by compromise, executable compromise, execution flow hijacking, icon suppression, and code-signing policy modification.
- Validate that mobile inventory can identify applications that are installed but not visible to users, since icon suppression can make user reporting unreliable.
- Tune network analytics carefully because web protocols such as HTTP and HTTPS are normal on mobile devices; prioritize unusual destinations, newly observed infrastructure, suspicious timing, and correlation with risky app or device posture events.
- For iOS, assess whether controls and telemetry can identify abuse of private APIs or unauthorized signing/profile conditions; do not assume non-jailbroken devices are out of scope because the official description states YiSpecter infected both jailbroken and non-jailbroken iOS devices.
- For Android, validate detection around compromised application executables and execution-flow hijacking behaviors where supported by local telemetry.
Mitigation priorities
- Maintain authoritative mobile asset and application inventory for Android and iOS devices that access business data.
- Enforce mobile application governance, including approved app sources, code-signing/profile controls where applicable, and review of applications that download code after installation.
- Use MDM/MTD controls to detect or restrict risky device states, suspicious applications, hidden apps, and unauthorized configuration or signing changes.
- Limit sensitive application data exposure through mobile app hardening, least-privilege access, and controls that reduce insecure local storage where the organization can influence app design or configuration.
- Apply network monitoring and secure web controls for mobile traffic, recognizing that malicious communications may blend into normal HTTP/HTTPS usage.
Analyst notes and limits
The supplied ATT&CK object identifies YiSpecter as iOS and Android malware first detected in November 2014 targeting users in mainland China and Taiwan, with an external reference from Palo Alto Unit 42. The strongest defensive value comes from the relationships to mobile techniques, especially discovery, runtime code download, web-protocol communication, application hiding, and signing/execution manipulation. Because tactics are not specified and detection text is not provided, this take focuses on defensible validation questions and telemetry classes rather than malware-specific detection claims.
No official ATT&CK detection guidance, aliases, labels, or tactics were supplied for this object. The relationship descriptions are technique-level context, not proof of current activity or local exposure. Organizations need local mobile management, network, app, and forensic evidence to determine whether they have coverage or risk.
YiSpecter
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1577 | Compromise Application Executable | YiSpecter has replaced device apps with ones it has downloaded.Citationpaloalto_yispecter_1015 |
| Mobile | T1422 | System Network Configuration Discovery | YiSpecter has collected compromised device MAC addresses.Citationpaloalto_yispecter_1015 |
| Mobile | T1424 | Process Discovery | YiSpecter has collected information about running processes.Citationpaloalto_yispecter_1015 |
| Mobile | T1437.001 | Web Protocols Sub-technique | YiSpecter has connected to the C2 server via HTTP.Citationpaloalto_yispecter_1015 |
| Mobile | T1409 | Stored Application Data | YiSpecter has modified Safari’s default search engine, bookmarked websites, opened pages, and accessed contacts and authorization tokens of the IM program “QQ” on infected devices.Citationpaloalto_yispecter_1015 |
| Mobile | T1632.001 | Code Signing Policy Modification Sub-technique | |
| Mobile | T1407 | Download New Code at Runtime | YiSpecter has used private APIs to download and install other pieces of itself, as well as other malicious apps. Citationpaloalto_yispecter_1015 |
| Mobile | T1625 | Hijack Execution Flow | YiSpecter has hijacked normal application’s launch routines to display ads.Citationpaloalto_yispecter_1015 |
| Mobile | T1456 | Drive-By Compromise | YiSpecter is believed to have initially infected devices using internet traffic hijacking to generate abnormal popups.Citationpaloalto_yispecter_1015 |
| Mobile | T1418 | Software Discovery | YiSpecter has collected information about installed applications.Citationpaloalto_yispecter_1015 |
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | YiSpecter has hidden the app icon from iOS springboard.Citationpaloalto_yispecter_1015 |
| Mobile | T1426 | System Information Discovery | YiSpecter has collected the device UUID.Citationpaloalto_yispecter_1015 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | f7b3e8840ec1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
paloalto_yispecter_1015
Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.
Open source URL -
[2]
mitre-attack S0311Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.