WireLurker: A new breed of iOS and OS X malware that has infected thousands.

WireLurker: A new breed of iOS and OS X malware that has infected thousands.

 

There’s a new and particularly clever piece of malware in town called WireLurker, and rather unusually it targets iOS and OS X. Even more remarkably, WireLurker is surprisingly virulent, possibly already infecting hundreds of thousands of iOS and OS X users. While OS X malware isn’t that rare, it’s almost unheard of for iOS to be susceptible to such attacks — and no, even if your device isn’t jailbroken, you can still be infected.
So far, it seems the malware doesn’t actually do much — but according to security researchers, once you’re infected, WireLurker constantly requests updates from a command and control server, and that whoever created the malware isn’t done yet. At the very least, WireLurker will probably be used to scoop up contacts from your address book, and harvest any sensitive details/passwords.
WireLurker was discovered and detailed by the threat prevention wing of Palo Alto Networks. The attack vector is complex, and in the words of Palo Alto Networks, “its ability to infect even non-jailbroken iOS devices through trojanized and repackaged OS X applications, suggest that it marks a new era in malware across Apple’s desktop and mobile platforms.”

WireLurker iOS/OS X infection and payload flow chart

In short, the initial WireLurker infection comes from a third-party Mac OS X app store (in this case, the Chinese Maiyadi app store). Once you download and install an infected app onto your OS X machine, that’s where the fun begins. If you then plug an iOS device into an infected OS X machine, WireLurker installs itself on the iOS device. By using iOS’s enterprise provisioning system — a method usually reserved for companies to side-load apps directly onto corporate iOS devices — WireLurker can even infect non-jailbroken devices.
Once WireLurker is on your iPhone or iPad, it appears to do a number of weird and wonderful things. If you’re not jailbroken, WireLurker simply installs/side-loads more apps from the iTunes App Store. If you’re jailbroken, it does a lot more, including infecting/trojanizing existing apps on your iOS device and backing them up to your Mac. In both cases, WireLurker constantly pings a central command server, which can trigger a payload update, or instruct WireLurker to harvest and transmit sensitive details from your device. For more details on WireLurker, read Palo Alto Networks’ research paper [PDF].

Malware, in my iOS? Unpossible!

As you’ve no doubt heard, Apple’s operating systems — especially iOS — tend to be rather secure. Malware for iOS is almost unheard of, and the number of high-profile OS X exploits can be measured on one hand (the Flashback botnet is one of the only big examples in recent memory). The good news is, WireLurker doesn’t seem to exploit a new zero-day vulnerability — rather, you need to follow a fairly long series of unfortunate events to become infected.

iPhone WireLurker enterprise provisioning confirmation

To begin with, you need to install an infected Mac OS X application. I’m not saying that the official Mac App Store is guaranteed to be malware-free, but I suspect the vetting/approval process is a lot more lax on a third-party app store. When you install an app on OS X from a third-party source, you have to click through a few dialog boxes asking if you’re really sure that you want to run it. Likewise, when WireLurker wants to infect your iOS device, the enterprise provisioning step pops open another confirmation dialog.
In short, there are quite a few warning signs that something is afoot — but despite that, Palo Alto Networks says that 467 infected apps were downloaded more than 350,000 times from the third-party Maiyadi app store. The company doesn’t have a figure of how many people then went on to infect their iOS devices, but presumably it’s a significant percentage. Obviously, it’s nice for Apple to provide lots of security warnings and confirmation pop-ups — but many people, when they just want to install the darn app, are just going to keep hitting “next” without reading or thinking.
What happens next is hard to say. Seemingly, WireLurker — and whoever authored it — is still just getting started. For now, WireLurker doesn’t do much, but as Palo Alto Networks notes, “As infected devices regularly request updates from the attackers command and control server, new features or applications could be installed at any time. It’s clear the tool set is still undergoing active development and we believe WireLurker has not yet revealed its full functionality.” There’s a risk that WireLurker could infect apps in the official Mac App Store, and thus spread to millions of iOS devices worldwide, but I’m sure Apple’s security team is now on high-alert to defend against such a scenario. Installing an up-to-date malware scanner on your Mac is probably a good idea, too.