Researchers Discover New 'WireLurker' Malware Affecting Macs and iOS Devices in China [Updated]

[MacRumors]

Researchers from Palo Alto Networks (via The New York Times) have published a research paper on WireLurker, a malware new family that's been infecting both Mac OS and iOS systems over the course of the past six months. The researchers say that WireLurker, which is targeting users in China, "heralds a new era in malware attacking Apple's desktop and mobile platforms."

The WireLurker malware is the "biggest in scale" in the trojanized malware family, and it is able to attack iOS devices through OS X using USB. It's said to be able to infect iOS applications similar to a traditional virus, and it is the first malware capable of installing third-party applications on non-jailbroken iOS devices "through enterprise provisioning."

Thus far, WireLurker has been used in 467 OS X apps in the Maiyadi App Store, which is a third-party Mac app store in China. The apps have been downloaded 356,104 times, infecting hundreds of thousands of users.

According to the researchers, WireLurker looks for iOS devices connected via USB to an infected Mac, installing malicious third-party applications onto the device even without a jailbreak.

WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken. This is the reason we call it "wire lurker". Researchers have demonstrated similar methods to attack non-jailbroken devices before; however, this malware combines a number of techniques to successfully realize a new brand of threat to all iOS devices.

WireLurker exhibits complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing. In this whitepaper, we explain how WireLurker is delivered, the details of its malware progression, and specifics on its operation.

Once installed, WireLurker can collect information from iOS devices like contacts and iMessages, and it's able to request updates from attackers. It's said to be under "active development" with an unclear "ultimate goal."

Palo Alto Neworks offers several recommendations for avoiding apps infected with WireLurker, including an antivirus product and Mac App Store installation restrictions that prevent apps from unknown third parties from being installed. Users should not download and run Mac apps or games from third-parry app stores, download sites, or other untrusted sources and jailbreaking should be avoided.

Unknown enterprise provisioning profiles must be avoided as well, and users should avoid pairing their iOS devices with unknown computers or charging with chargers from untrusted or unknown sources.

Palo Alto Networks has notified Apple of the malware, but an Apple spokesperson declined to offer a comment.

Update: Apple has issued a statement to iMore about the issue:

"We are aware of malicious software available from a download site aimed at users in China," an Apple spokesperson told iMore, "and we've blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources."

Article Link: Researchers Discover New 'WireLurker' Malware Affecting Macs and iOS Devices in China [Updated]

 

[0xyMoron]

Good lord! Apple just can't catch a break!

 

[mattcha90]

This is what everyone who always complain about Apple's vice-grip on openness doesn't understand. If you stick with the Apple pre-approved things you're safe 99.99% of the time. It's only when you open yourself to third party apps that you run the risk of malware. It can't exist without you opening the door to it.

 

[fins831]

this is why I love the closed environment Apple creates, if the consumer is smart, they will be unaffected 99percent of the time. Walled garden protect me from all the bad stuff please haha

 

[needfx]

applebola




-

 

[bbeagle]

Trojan software exists on ALL systems. This is nothing new.

Anyone can write a program on Windows/Unix/OS X to do ANYTHING. That's really the point of personal computers. There is nothing Apple/Microsoft or anyone can do to stop this outside of using their approved app stores where they can take down a malicious app like this.

This article is just iHater bait to people who don't understand how software works. A virus or worm is a different thing. A trojan - can happen to any operating system at any time. A trojan is basically software that says it does one thing then actually does something else. That's what Apple's App Store helps avoid, apps like this. This proves, again, that the Apple closed app store protects users better.

 

[goobot]

Users should not download and run Mac apps or games from third-parry app stores, download sites, or other untrusted sources and jailbreaking should be avoided.

What does jailbreaking have to do with this? Obviously use a known tool but other than that this is an over-reactive comment.

 

[BigBeast]

The ultimate goal? Most likely to decrease Apple's presence in China and instill FUD in Chinese consumers.

 

[shadowbird423]

What does jailbreaking have to do with this? Obviously use a known tool but other than that this is like an over reactive comment.

I know, right. All iOS devices are vulnerable to a rogue cert like this one, but they couldn't resist the fear mongering.

 

[Glassed Silver]

What does jailbreaking have to do with this? Obviously use a known tool but other than that this is an over-reactive comment.

Because jailbreaking's single reason is to intendedly load un-signed code onto your iOS device, basically a much shorter route than the one this hack takes.

It's a simplified way of inviting malicious code onto your phone that basically can achieve the same results.

PS: Not that I'd flat out tell everyone not to jailbreak because of this.
If someone asked me to do it for them and they were determined to get it done, I'll help them for sure.

Glassed Silver:mac

 

[Michaelgtrusa]

We gave jobs to them that just a few decades ago china had nothing to offer except fireworks! This is how they repay us in the many cruel ways that they have and the west refuses to wake up to what it's done to themselves! This could all be reversed.

 

[macduke]

This is what happens when you go outside the walled garden without supervision. If you're going to do it, make sure you know where you're getting your apps from. It's a calculated risk. I wonder if this enterprise installation thing is truly hacked, or if it's a legit certificate that Apple can just revoke?

 

[Dragonlance1561]

What does jailbreaking have to do with this? Obviously use a known tool but other than that this is an over-reactive comment.

Jailbreaking disables a lot of the security measures that apple has in place to prevent apps from outside the AppStore being installed. Obviously in this particular case it doesn't change the end result, but in many other cases it does.

I personally don't jailbreak my devices because I don't know where the apps on the Cydia store come from, who coded them, or what they might do in the background without my knowledge - as all of the "this app is trying to access _____ data" messages are disabled when you jailbreak, or more, the apps don't have to follow those rules so why would they?

 

[Swift]

who might have done this?

They have third-party App Stores in China? There's your first mistake. I'm thinking that there's less likelihood this will get through the Mac App store. The Chinese government might want to suck out all the contacts in somebody's Contacts, no? Just like somebody, nobody knows who (?), was doing man in the middle attacks on iCloud in China with fake certificates.

 

[Michaelgtrusa]

The ultimate goal? Most likely to decrease Apple's presence in China and instill FUD in Chinese consumers.

Tim Cooks visit will accomplish nothing.

 

[flowsy]

We gave jobs to them that just a few decades ago china had nothing to offer except fireworks! This is how they repay us in the many cruel ways that they have and the west refuses to wake up to what it's done to themselves! This could all be reversed.

Say what!? Come on now. All of them? 1.366.040.000 (August 2014)

 

[mavere]

Wait, so the iOS-portion of the malware depends on the user accepting unknown Enterprise provisioning profiles? At that point, aren't you just asking for trouble?

 

[Michael Goff]

We gave jobs to them that just a few decades ago china had nothing to offer except fireworks! This is how they repay us in the many cruel ways that they have and the west refuses to wake up to what it's done to themselves! This could all be reversed.

And everyone who moved their business over there did it out of the kindness of their hearts, right?

:rolls eyes:

 

[lotzosushi]

Sponsored by the Chinese government

 

[flowsy]

They have third-party App Stores in China? There's your first mistake. I'm thinking that there's less likelihood this will get through the Mac App store.

A lot of big companies have their own "AppStores" for specific internal apps.

 

[goobot]

Jailbreaking disables a lot of the security measures that apple has in place to prevent apps from outside the AppStore being installed. Obviously in this particular case it doesn't change the end result, but in many other cases it does.

I personally don't jailbreak my devices because I don't know where the apps on the Cydia store come from, who coded them, or what they might do in the background without my knowledge - as all of the "this app is trying to access _____ data" messages are disabled when you jailbreak, or more, the apps don't have to follow those rules so why would they?

Apps is cydia's official repos aren't malicious in anyway. Third party sources maybe but those you have to go out of your way to get to, also jailbreaking disables 0 securities. Yes you can install stuff that may put you at greater risk but just the JB itself doesn't.

Because jailbreaking's single reason is to inventively load un-signed code onto your iOS device, basically a much shorter route than the one this hack takes.

It's a simplified way of inviting malicious code onto your phone that basically can achieve the same results.

PS: Not that I'd flat out tell everyone not to jailbreak because of this.
If someone asked me to do it for them and they were determined to get it done, I'll help them for sure.

Glassed Silver:mac

Again there is a difference between installing something you know nothing about vs not. Jailbreaking itself doesn't invite any malicious code onto your device like downloading a file from any major company on your computer doesn't.

 

[rsocal]

This is what everyone who always complain about Apple's vice-grip on openness doesn't understand. If you stick with the Apple pre-approved things you're safe 99.99% of the time. It's only when you open yourself to third party apps that you run the risk of malware. It can't exist without you opening the door to it.

This is why I have always been a big fan of the walled garden!
Not one of my Apple products has suffered any virus attacks.

 

[fallenjt]

Thanks, Apple for your closed system and malware free environment. People in China want to get cheap apps or free app and this is their result of being cheap.

----------

This is why I have always been a big fan of the walled garden!
Not one of my Apple products has suffered any virus attacks.

mine too. My Mac Mini is on 24/7 since bought in Nov 2011...no attack, virus, malware ever.

 

[Hennesie2000]

Because jailbreaking's single reason is to inventively load un-signed code onto your iOS device, basically a much shorter route than the one this hack takes.

It's a simplified way of inviting malicious code onto your phone that basically can achieve the same results.

PS: Not that I'd flat out tell everyone not to jailbreak because of this.
If someone asked me to do it for them and they were determined to get it done, I'll help them for sure.

Glassed Silver:mac

Wrong, the main goal of jailbreaking is to have root access. What you decide to do after that is obtained is your choice.

 

[Michaelgtrusa]

And everyone who moved their business over there did it out of the kindness of their hearts, right?

:rolls eyes:

NO! They did it for greed! You knew that right?