Researchers Discover New 'WireLurker' Malware Affecting Macs and iOS Devices in China [Updated]

[jm001]

This isn't even a 3rd party app it's a third party App STORE. Here's the solution DON'T USE 3rd PARTY APP STORES! Stick with Apple's App Store and you'll be fine. Now if it's Mac Apps you want, again stick with Apple's Mac App store as well as only trusted commercial developers.

 

[killawat]

Palo Alto is trying to pass this tripe off as a critical threat to move units, plain and simple. From the report:

Some of these same users stated that
they recently downloaded and installed applications from the Maiyadi App Store
(
http://app.maiyadi.com
), a third party OS X and iOS application store in China.
As background, the Maiyadi site is a Chinese portal for Apple related news and
resources. The Maiyadi App Store is a sub-site known to host pirated premium Mac,
iPhone, and iPad applications

For a non-jailbroken iOS device, WireLurker simply installs iOS applications that it
downloads, leveraging iTunes protocols implemented by the libimobiledevice library.
For a jailbroken iOS device, WireLurker backs up specific applications from the
device to the Mac computer and trojanizes/repackages both backed up and additional
downloaded applications with a malicious binary file. These altered iOS applications
are then installed to the device through the same iTunes protocols noted above.
Additionally, WireLurker uploads a malicious MobileSubstrate tweak file to the device
through the AFC2 service.
At this point, new application icons are visible to the user on the connected iOS device,
whether jailbroken or not. For a jailbroken device, malicious code is injected into
system applications, querying all contact names, phone numbers and Apple IDs, and
sending them to the C2 server along with WireLurker status information.

The use of enterprise provisioning explains how these applications can be installed
on non-jailbroken iOS devices. Yet, on the first attempt to run a WireLurker application
on iOS, users are presented with a dialog requesting confirmation to open a
third-party application (Figure 16). If the user chooses to continue, a third-party
enterprise provisioning profile will be installed and WireLurker will have successfully
compromised that non-jailbroken device. Furthermore, users are typically none the
wiser, since the application otherwise operates just like the legitimate version.

So I have to...ok ... wow... so to get "infected" i need to:
1. download pirated apps with the Wirelurker infecteion.
2. Install said apps and approve Wirelurker sideload.
3. Connect to iTunes and copy this application to my phone.
4. APPROVE the app AND the installation of some random profile?
5. Jailbreak before it starts to work?

c'mon man.

 

[Michael Goff]

NO! They did it for greed! You knew that right?

Exactly.

So none of this "we have them jobs" crap. Businesses found a place where they could make more money and rushed.

 

[candle]

mine too. My Mac Mini is on 24/7 since bought in Nov 2011...no attack, virus, malware ever.

No attack, virus, or malware that you KNOW of.

 

[iolinux333]

This is what everyone who always complain about Apple's vice-grip on openness doesn't understand. If you stick with the Apple pre-approved things you're safe 99.99% of the time. It's only when you open yourself to third party apps that you run the risk of malware. It can't exist without you opening the door to it.

I've had my Mac and have been installing software on it since BEFORE THERE WAS AN OS X APP STORE! Now what do I suggest I do?!?! I don't have an instant answer I guess because I'm insufficiently smug. Wait let me check my fart smell. Nope, not smug enough.

 

[occollegeboi420]

You've never been jailbroken, obviously...

All of you talking about how jailbreaking opens you up to this are all wrong wrong wrong. You guys believe everything you hear. You really need to think for yourselves and do your own research on things you hear about.

Jailbreaking in and of itself does NOT open you up to anything. The only thing jailbreaking does is give you ROOT access to all of the file systems. You don't even need to install cydia if you don't want to.

Since you have root access, you can now use the iphone as an external storage device, using the cable to transfer files from computer to phone.

You have ROOT access on a mac os as well. You don't need to jailbreak a mac in order to install 3rd party apps.

 

[XTheLancerX]

Is it weird that I just want to sit by and watch a video of the actual malware in action? What are these "malicious" apps and Trojans WireLurker loads onto the device? I wannaa seeeee... But not on my device

Malware generally just fascinates me, how they all do different things, etc. Am I weird? Lol

 

[pubwvj]

What a great way to convince users to only download from the Apple approved App Stores! Genius!

FUD Alert!!!

http://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt

----------

this is why I love the closed environment Apple creates, if the consumer is smart, they will be unaffected 99percent of the time. Walled garden protect me from all the bad stuff please haha

Actually there is a lot of great software that is not sold through Apple. Many developers don't like dealing with Apple's filtering system and don't want to fork over 30% of their earnings. There were applications long before there was the App store. This just looks like a way of scaring customers into thinking like you.

 

[markgpearse]

Silly

This is nonsense. We all know Apple is hack proof.

 

[DisMyMac]

Malware generally just fascinates me, how they all do different things, etc. Am I weird? Lol

Not at all, remember how Stuxnet sped up Iran's centrifuges to the point of breaking (who do we thank?) so imagine what a sneaky communist hacker is capable of with Macs in China.

 

[Keirasplace]

All of you talking about how jailbreaking opens you up to this are all wrong wrong wrong. You guys believe everything you hear. You really need to think for yourselves and do your own research on things you hear about.

Jailbreaking in and of itself does NOT open you up to anything. The only thing jailbreaking does is give you ROOT access to all of the file systems. You don't even need to install cydia if you don't want to.

Since you have root access, you can now use the iphone as an external storage device, using the cable to transfer files from computer to phone.

You have ROOT access on a mac os as well. You don't need to jailbreak a mac in order to install 3rd party apps.

What's the point of using the getting root access to do that, bypassing all security when you can do it from an app in many different way. With Apple apps sharing date more freely now in IOS 8, its even less usefull than before.

In any system, you try to do least possible you can do at root level, that way you a better knowledge of the access you are giving to files and applications.

----------

What a great way to convince users to only download from the Apple approved App Stores! Genius!

FUD Alert!!!

http://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt

----------



Actually there is a lot of great software that is not sold through Apple. Many developers don't like dealing with Apple's filtering system and don't want to fork over 30% of their earnings. There were applications long before there was the App store. This just looks like a way of scaring customers into thinking like you.

You do forgo everything that differentiate Apple from anyone else by bypassi g security. Might as well buy a good android phone and simply side load the application if you want to do that.

 

[Michaelgtrusa]

Beware if this developer! http://www.macupdate.com/app/mac/50911/mac-media-player

Same dev http://www.macupdate.com/app/mac/40390/macgo-blu-ray-player

Stated on Macupdate.

I tried this app I noticed it seemed to "dial out" a lot. As I researched this company [Macgo Int. LTD.] all I could get was a Ph.# [852-21598095] which is Hong Kong. Don't get me wrong! It does exactly what it's supposed to. Play various media format files. Tried it and checked my log. It had connected to MUCH too many servers in China. One of significance
is em.sandai.net & xunlei.com. If I'm not mistaken that is the one the China Army uses to "throttle" the
internet with. I may be wrong. But I'm just sayin' be careful with some of the newer Chinese software
coming out. They had a "silent" internet revolution recently and the army has been active lately with their
own brand of hackers. . .I know, it's the same with any other "advanced" technology country. But, yes, I
would wait until another White Hat Security review comes out about it. . .

----------

Not at all, remember how Stuxnet sped up Iran's centrifuges to the point of breaking (who do we thank?) so imagine what a sneaky communist hacker is capable of with Macs in China.

What is surprising is that American computers made in china haven't been hacked..yet!

 

[Keirasplace]

Wrong, the main goal of jailbreaking is to have root access. What you decide to do after that is obtained is your choice.

Yes it is, although slightly pointless unless you are unamored by running about playing with hardware not seen in an Android machine. Most people don't do that though and most apps that were before only in the jailbreak have been integrated into IOS 7 and 8.

 

[vojta3476]

third-parry app stores

Typo or Chinese joke?

 

[IJ Reilly]

That explanation could have been more confusing but it would take a lot of effort.

 

[cr2]

Thank you.

Beware if this developer! http://www.macupdate.com/app/mac/50911/mac-media-player

Same dev http://www.macupdate.com/app/mac/40390/macgo-blu-ray-player

Stated on Macupdate.

I tried this app I noticed it seemed to "dial out" a lot. As I researched this company [Macgo Int. LTD.] all I could get was a Ph.# [852-21598095] which is Hong Kong. Don't get me wrong! It does exactly what it's supposed to. Play various media format files. Tried it and checked my log. It had connected to MUCH too many servers in China. One of significance
is em.sandai.net & xunlei.com. If I'm not mistaken that is the one the China Army uses to "throttle" the
internet with. I may be wrong. But I'm just sayin' be careful with some of the newer Chinese software
coming out. They had a "silent" internet revolution recently and the army has been active lately with their
own brand of hackers. . .I know, it's the same with any other "advanced" technology country. But, yes, I
would wait until another White Hat Security review comes out about it. . .
!

Thank you. I blocked it in my hosts file as well as home router.

 

[iceperson]

This is why I have always been a big fan of the walled garden!
Not one of my Apple products has suffered any virus attacks.

None of mine too Then again, in 20 years I've never had a virus on any of my windows machines either...

 

[ricci]

Haha! The last sentence just kills me! I can see the folks in the board room just holding and shaking their heads! " F,n China"

 

[iZac]

The ultimate goal? Most likely to decrease Apple's presence in China and instill FUD in Chinese consumers.

Perhaps the goal is for the Chinese Government to more easily monitor their subjects.

 

[tkwolf]

Because jailbreaking's single reason is to intendedly load un-signed code onto your iOS device, basically a much shorter route than the one this hack takes.

It's a simplified way of inviting malicious code onto your phone that basically can achieve the same results.

PS: Not that I'd flat out tell everyone not to jailbreak because of this.
If someone asked me to do it for them and they were determined to get it done, I'll help them for sure.

Glassed Silver:mac

Jailbreaking disables a lot of the security measures that apple has in place to prevent apps from outside the AppStore being installed. Obviously in this particular case it doesn't change the end result, but in many other cases it does.

I personally don't jailbreak my devices because I don't know where the apps on the Cydia store come from, who coded them, or what they might do in the background without my knowledge - as all of the "this app is trying to access _____ data" messages are disabled when you jailbreak, or more, the apps don't have to follow those rules so why would they?

there is too much misconception in here. With due respect, it isn't jailbreaking that breaks down your security or puts you at risk.

 

[poiihy]

Palo Alto Neworks offers several recommendations for avoiding apps infected with WireLurker, including an antivirus product and Mac App Store installation restrictions that prevent apps from unknown third parties from being installed. Users should not download and run Mac apps or games from third-parry app stores, download sites, or other untrusted sources and jailbreaking should be avoided.

You misspelled 'third-party' as "third-parry".

 

[lordofthereef]

They have third-party App Stores in China? There's your first mistake.

This is for OSX. There are third party appstores for that in the US as well.

 

[nutjob]

I thought that's why Apple controlled everything you can do with your Apple phone, so this wouldn't happen.

It seems like more incompetence under Cook.

 

[R3k]

They make it sound so bad ass.

All we know will soon burn.

 

[ulyssesric]

Is there any can explain how the enterprise provision works ?

As far as I know, the Apple development Enterprise member can acquire provision certifications and profiles from Apple, and signature their in-house Apps with these certifications in Xcode. But what do the enterprise employees need to do if they want to use these in-house Apps provided by the employer ?

I mean, if the iDevice owner need to "Accept" some certification before they can install these Apps, then this Wireluker malware is nothing but another EBKAC.

I wonder how does these hackers acquire the enterprise certifications. Did they steal from some other enterprise ? Or they'RE the enterprise ? Can Apple just disable these problematic profiles to stop them ?