‘WireLurker’ malware found to be affecting Macs and iOS devices in China


Finding malware completely focused on Macs or iOS devices is rare, but when it crops up, it tends to catch attention. Now, malware known as “WireLurker” is affecting Macs and iOS devices in China.

Palo Alto Networks researchers have published a research paper recently, which puts a bright light on what’s known as “WireLurker,” malware that has been affecting both Macs and iOS devices over the course of six months in China. The research paper notes that this targeted attack on Apple’s branded devices “heralds a new era in malware attacking Apple’s desktop and mobile platforms.”

The researchers go on to say that WireLurker is the biggest in scale within the malware family. It systematically attacks iOS devices through USB cables that are attached to a Mac. According to the researchers, WireLurker is capable of infecting iOS applications in the same way that a traditional virus would, and that it is the first malware to install third-party applications on a non-jailbroken iOS-based device. It is able to do this through “enterprise provisioning.”

WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken. This is the reason we call it “wire lurker”. Researchers have demonstrated similar methods to attack non-jailbroken devices before; however, this malware combines a number of techniques to successfully realize a new brand of threat to all iOS devices.

WireLurker exhibits complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing. In this whitepaper, we explain how WireLurker is delivered, the details of its malware progression, and specifics on its operation.

As of the time the paper was published, up to 467 OS X apps within the Maiyadi App Store — a third-party Mac app store within China — have been infected. The apps have been downloaded 356,104 times in total, and the end result has led to hundreds of thousands of people being infected by the malware.

The research paper adds that the ultimate goal of the malware is unknown, but that it is in active development currently. Once it is installed on a computer, and subsequently an iOS device, the malware can collect a wide assortment of information, including iMessage and contact information. It can also request updates from third-party attackers.

As expected, Palo Alto Networks offers several different ways to avoid the malware, including Mac App Store restrictions, and installing an antivirus product.

[via The New York Times; Palo Alto Networks]