Malware specifically targeted at Apple products named “WireLurker” has been detected.
Malware specifically targeted at Apple products named “WireLurker” has been detected.
Named WireLurker due to its ability to monitor when any iOS device connects via USB with an infected OS X computer, it installs third-party applications or automatically generated malicious applications onto the device, and combines a number of techniques to successfully realize a new breed of threat to all iOS devices.
“WireLurker exhibits complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing,” its research said.
Michael Sutton – VP of security research at Zscaler said that what is unique about WireLurker is that it takes the approach of first infecting a Mac OS X device, and then monitoring for connected devices.
“Even with this approach, WireLurker faces restrictions and can’t simply install random code in the device,” he said. “WireLurker takes advantage of Enterprise Provisioning to install apps on the device, but when doing so users must accept a provisioning profile before apps can be installed.
“If the device is jailbroken, WireLurker has greater flexibility and can fully control the device. Users are therefore advised not to plug their iPhone/iPad into untrusted computers or use untrusted sync cables. Further, they should not accept unexpected profiles during the sync process or use a jailbroken phone in order to stay protected from malware such as WireLurker.”
Kevin Mahaffey, Lookout co-founder and chief technology officer, said: “What’s interesting here is that malware attacked a PC in order to gain access to a mobile device, not to attack the PC—yet another sign that mobile is becoming the dominant computing platform. Historically, attackers have focused their efforts on Android, given its popularity.
“Now, as the number of iOS devices has grown, especially in geographies where malware tends to originate, iPhones and iPads have become attractive attack targets as well.”
Palo Alto Networks’ research found that WireLurker “trojanises” OS X applications using three files: a loader, shell script and ZIP archive. Between the initial detection in late April and mid-October 2014, it observed three distinct versions of the malware; the first version (version A) consisted of the original malicious files that were used to trojanise Mac applications on Maiyadi. A week later, on 7th May, the second version (version B) was distributed through WireLurker’s C2 server. Then, prior to August 2014, the command and control server began distributing the third version (version C). “The content of this latest updating
script confirmed it was the successor of version B” it said.
In a statement published by Business Insider, Apple said: “We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources.”