WireLurker: New Apple malware can infect your Mac and iPhone via USB
A digital worm (okay, technically speaking, virus) is burrowing its way into Apple desktop and mobile devices across the Middle Kingdom. A team of security experts say the malware is the “biggest in scale” they have ever laid their eyes on.
The virus, known as WireLurker, was uncovered by researchers from Palo Alto Networks – a US-based network security company.
"WireLurker is unlike anything we've ever seen in terms of Apple iOS and OS X malware," the company's intelligence director Ryan Olson said.
The team gave the virus its name because it remains hidden in apparently legitimate and often popular apps, including Angry Birds and Sims 3.
According to the team, WireLurker was used to trojanize 467 OS X applications on the Maiyadi App Store – a third-party Mac application store in China. Over the past six months, these 467 infected applications were downloaded over 356,104 times, potentially affecting hundreds of thousands of individual users.
What the #WireLurker#malware looks like from the perspective of @opendns and @OpenDNSLabspic.twitter.com/eVB00irNxS
— Andrew Hay (@andrewsmhay) November 6, 2014
The malware strikes by first infecting desktop hardware running OS X – the operating system employed by Mac computers. It then spreads to iPhones and iPads when they are attached to Macs and MacBooks via USB to install third-party applications (or automatically generated malicious applications).
Moreover, the experts say WireLurker can steal a raft of information from the mobile devices and regularly requests updates from the attackers’ so-called “command and control server.”
Thus, in China it has targeted Taobao, an online shopping site owned by tech giant AliBaba, and AliPay payment apps, which required owner’s credit card and bank details.
WireLurker is the first known malware that can attack not “jailbroken” iOS devices. Security experts do not rule out that it “may have impacted hundreds of thousands of users.”
“The techniques in use suggest that bad actors are getting more sophisticated when it comes to exploiting some of the world's best-known desktop and mobile platforms,” the company said.
They note that the malware is under “active development” and its creator’s ultimate goal remains unclear.
Based on the virulence of WireLurker, the team says the virus’s unwelcome appearance “heralds a new era in malware attacking Apple's desktop and mobile platforms."
Despite its vast potential for damage and information theft, the virus has not been knowingly used to exploit any device users. The team at Palo Alto Networks believes that whoever is behind the malware is still waiting for the perfect moment to strike.
WireLurker is only the second known form of malware that specifically attacks USB-attached devices using Apple’s mobile operating system, iOS, which has a reputation for being particularly secure. So far, iOS has never fallen victim to a widespread malware hack.
While the virus so far remains contained within China, it has the potential to spread to other countries.
This is the part of WireLurker that scrapes phone number, serial number, and your iiTunes Store ID from your phone. pic.twitter.com/RAFv50slPy
— Jonathan Zdziarski (@JZdziarski) November 6, 2014
For those hoping not to get tripped up by WireLurker, the security team recommends giving apps from third-party stores a pass. They also tell users to regularly update their iOS device with the latest anti-virus software, avoid connecting their mobile devices with computers or chargers other than their own, and not jailbreaking their devices – removing limitations on Apple's operating system in order to access additional applications and extensions not available through Apple.
According to the Apple-dedicated website iMore, non-jailbroken devices are largely protected from the ill effects of WireLurker.
“For non-jailbroken devices, it sounds as if all WireLurker can do is download and install enterprise-signed (proprietary, in-house iOS) apps to the device. A user would then need to manually launch the installed app, then tap ‘Trust’ when asked if they're sure they want to launch the app from an unknown developer,” Nick Arnott, iMore’s security editor writes.
He notes that such apps would still be restricted by iOS’s multiple security restrictions. Apple could also revoke the enterprise certificates, which would make it impossible to install the app on other devices.
“On any devices that have already installed the app, iOS will kill the app on launch when it sees that it's not valid,” Arnott says.
Many iOS security measures are disabled or bypassed when a device is jailbroken, however, leaving it susceptible to WireLurker’s full wrath.
Speaking to iMore, an Apple spokesperson said measures had already been taken to contain the spread of WireLurker.
“We are aware of malicious software available from a download site aimed at users in China and we've blocked the identified apps to prevent them from launching,” the spokesperson said. “As always, we recommend that users download and install software from trusted sources."
