2 min read

WireLurker bug a new threat to iOS, OS X machines

MobilitySecurity & Privacy

A California-based security company has warned that a new family of malware that targets Apple Inc.’s desktop and mobile operating systems appears to be rising out of China and infecting machines.

Palo Alto Networks said the bug, known as WireLurker, spreads through apps uploaded to jailbroken Apple devices from a third-party store, but is also a serious threat to Apple devicesthat have not been tampered with. WireLurker can be transferred from a Mac computer to a mobile device through a USB cable.

“Characteristics of this malware family, including its ability to infect even non-jailbroken iOS through trojanized and repackaged OS X applications suggest that it marks a new era in malware across Apple’s desktop and mobile platforms,” Claud Xiao, of Palo Alto’s Unit 42 threat intelligence team who uncovered the malware. WireLurker was first noticed in June this year when a developer from Chinese firm Tencent observed there were suspicious files and processes occurring in his iPhone and Mac computer.

The Palo Alto report said that once WireLurker gets into a Mac computer, the malware contacts a command-and-control server to check if its code needs to be updated. The malware waits until an iPhone, iPad or iPod is connected to the Mac computer. When an iOS connects to the computer, WireLurker checks if the mobile device is jailbroken.

If the iOS device is jailbroken, WireLurker backs up the device’s apps to the Mac and then repackages the apps with malware. After that the infected apps are returned to the iOS device.

On Wednesday, Palo Alto reported that a total of 467 Mac programs listed on the Maiyadi App Store of China have been infected by the malware. These apps were downloaded 356,104 times as of October 16, according to the security firm. The infected software included popular games such as Angry Birds, Battlefield: Bad Company 2, Pro Evolution Soccer 2014 and The SIM 3.

“WireLurker is unlike anything we’ve seen in terms of Apple iOS and OS X Malware,” said Ryan Olson, intelligence director of Palo Alto’s Unit 42. “The techniques in use suggest that bad actors are getting more sophisticated when it comes to exploiting the world’s best-known desktop and mobile platforms.”

According to Palo Alto, WireLurker represents:

  • The first known malware family that can infect installed iOS applications similar to how a traditional virus would
  • The first in-the-wild malware family that can install third-party applications on non-jailbroken iOS devices through enterprise provisioning
  • Only the second known malware family that attacks iOS devices through OS X via USB
  • The first malware family to automate generation of malicious iOS applications through binary file replacement

The malware “is still under active development and its creator’s goal is still not yet clear” but WireLurker is capable of stealing “a variety of information” from mobile devices it infects and it regularly requests updates from the attacker’s control server, according  to the security firm.

“We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching,” Apple said in a statement it issued. “As always, we recommend that users download and install software from trusted sources.”

Recent WireLurker activities have been so far relatively harmless, but Palo Alto warns that attackers could be preparing to use the bug for more damaging software.