New 'WireLurker' malware targets Chinese Apple users, hops from OS X to iOS via USB

Posted:
in iPhone edited November 2014
Coming less than one week following the discovery of an OS X vulnerability called "Rootpipe," computer security researchers have found a new form of malware dubbed "WireLurker," which infects well-protected iOS devices through OS X.

iPhone 6 colors


Security experts at Palo Alto Networks outlined WireLurker in a research paper published on Wednesday, saying of the malware, "It is the biggest in scale we have ever seen," reports The New York Times.

WireLurker has been active in China for the past six months, first infecting Macs by inserting trojan software through repackaged OS X apps, then moving on to iOS devices via USB. The firm claims the malware is the first to automate generation of malicious iOS apps by implementing a binary file replacement attack.

"They are still preparing for an eventual attack," said Ryan Olson, Palo Alto Networks' director of threat intelligence. "Even though this is the first time this is happening, it demonstrates to a lot of attackers that this is a method that can be used to crack through the hard shell that Apple has built around its iOS devices."

Unlike other viruses, which usually target jailbroken iOS devices, WireLurker can jump from a Mac onto an iPhone running a vanilla version of Apple's operating system by leveraging Apple's enterprise provisioning assets.

As described the Palo Alto Networks, WireLurker monitors a Mac for new iOS devices through infected programs, then installs over USB malicious applications either download from a remote server or generated autonomously on-device. Once installed, the malware can access sensitive data like user contacts, read iMessages and ping a remote server for command-and-control operations, among other nefarious functions.

So far, 467 OS X apps have been infected and distributed through China's third-party Maiyadi App Store, with downloads totaling over 356,104 possibly impacting "hundreds of thousands of users." It is unclear what information the malware's creator is after, but the code is being continuously updated and is therefore deemed active.
«134

Comments

  • Reply 1 of 67
    christophbchristophb Posts: 1,452member
    But what does it do to the owner?
  • Reply 2 of 67
    dasanman69dasanman69 Posts: 12,976member
    christophb wrote: »
    But what does it do to the owner?

    Nothing.
  • Reply 3 of 67
    Coming less than one week following the discovery of an OS X vulnerability called "Rootpipe," computer security researchers have found a new form of malware dubbed "WireLurker," which infects well-protected iOS devices through OS X.

    It only infects those well protected iOS devices through OS X if the user is downloading Applications to their Mac from a 3rd party App store rather than the Mac App store. Would have been helpful if the author included details about developer certificates. Do the OS X apps on this 3rd party App Store have a signed developer certificate or does the user have to allow apps to be installed from untrusted developers.

    Knowing that malware can be installed onto an iPhone via a Mac is still a concern but if it only occurs when default security measures in OS X are disabled then it's not much different than the security risks of jail breaking an iPhone.
  • Reply 4 of 67
    lolliver wrote: »
    It only infects those well protected iOS devices through OS X if the user is downloading Applications to their Mac from a 3rd party App store rather than the Mac App store. Would have been helpful if the author included details about developer certificates. Do the OS X apps on this 3rd party App Store have a signed developer certificate or does the user have to allow apps to be installed from untrusted developers.

    Knowing that malware can be installed onto an iPhone via a Mac is still a concern but if it only occurs when default security measures in OS X are disabled then it's not much different than the security risks of jail breaking an iPhone.

    I would guess that you have to allow untrusted downloads, just like on Android when you install a third party app.
  • Reply 5 of 67
    gatorguygatorguy Posts: 20,264member
    I would guess that you have to allow untrusted downloads, just like on Android when you install a third party app.
    It's explained pretty well in the AI link:
    http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/
  • Reply 6 of 67
    fallenjtfallenjt Posts: 3,976member

    Download apps from AppStore. Don't be cheap. Using third party app vendor is risky. This is why I like walled garden...safe and secured.

  • Reply 7 of 67
    gatorguy wrote: »

    That site is blocked by my firewall here at work but I'll definitely check it out when I get home tonight.
  • Reply 8 of 67
    christophbchristophb Posts: 1,452member
    dasanman69 wrote: »
    Nothing.

    Good thing they changed the title. Thought the Chinese had the first recorded cases of human malware.
  • Reply 9 of 67
    dasanman69dasanman69 Posts: 12,976member
    christophb wrote: »
    Good thing they changed the title. Thought the Chinese had the first recorded cases of human malware.

    Ahhhh that would explain your comment. We've all been guilty of writing something, and not checking how it reads.
  • Reply 10 of 67
    idreyidrey Posts: 640member
    In any case this isnt good! This means that this hackers are focusing more energy towards apple. I hope apple can patch this even though it is human error not on apple's part and make ios security stronger which i sure they will
  • Reply 11 of 67
    boredumbboredumb Posts: 1,413member
    Quote:

    Originally Posted by idrey View Post



    In any case this isnt good! This means that this hackers are focusing more energy towards apple. I hope apple can patch this even though it is human error not on apple's part and make ios security stronger which i sure they will

    The price of increasing popularity...

  • Reply 12 of 67
    fallenjt wrote: »
    Download apps from AppStore. Don't be cheap. Using third party app vendor is risky. This is why I like walled garden...safe and secured.
    Yep do like the older not so tech savvy crowd does
    Pay for your shit
  • Reply 13 of 67
    Sounds like hyperbolic FUD - "WireLurker can jump from a Mac onto an iPhone running a vanilla version of Apple's operating system by leveraging Apple's enterprise provisioning assets."

    Doesn't sound like the average user would have to worry about that unless you have an enterprise device eh?
  • Reply 14 of 67
    idreyidrey Posts: 640member
    boredumb wrote: »
    The price of increasing popularity...

    Totally! Of this i was afraid! Hopefully apple will handle it better than ms and the other guys
  • Reply 15 of 67
    peteopeteo Posts: 356member
    Sounds like it uses a provisioning profile to alow the app to be installed. Usually you have to accept those, but if your using apple configurator you can load trust profiles then will not require a trust dialogue to appear. Will be interesting to hear how this is done with out that. Maybe they spoof apples push server and load the certs that way (DEP) still would need to be signed
  • Reply 16 of 67
    idrey wrote: »
    Totally! Of this i was afraid! Hopefully apple will handle it better than ms and the other guys

    Apple is still benefitted by not having six tons of legacy cruft like Windows. And iOS is benefitted by having been designed with security in mind. I'm not ready to waive the white flag yet as far as Apple's software being a big security risk.
  • Reply 17 of 67
    jkichlinejkichline Posts: 1,331member
    I would guess that you have to allow untrusted downloads, just like on Android when you install a third party app.

    So it's not a problem with OS X or iOS, just a problem with stupid users trying to rip off hard working developers by skirting around standard secure features of the OS.
  • Reply 18 of 67
    rcfarcfa Posts: 756member
    This is why root privileges for device owners are key: the ability to monitor a device, install third party anti-malware software (if need be), etc.
    Right now, an iOS device is only as secure as US laws and Apple engineering allow.
    It should be as secure as security researchers with full access to their own devices can ascertain and make it independently of Apple and the legal mandates it's subjected to as a U.S. corporation.

    Competition is good, particularly when it comes to security, competing interests need to be able to null each other, or else users pay the price.
  • Reply 19 of 67
    jkichline wrote: »
    So it's not a problem with OS X or iOS, just a problem with stupid users trying to rip off hard working developers by skirting around standard secure features of the OS.

    Do Chinese users have full access to the Mac App Store, or is it restricted by the government there?
  • Reply 20 of 67
    hillstoneshillstones Posts: 1,490member
    Quote:

    Originally Posted by fallenjt View Post

     

    Download apps from AppStore. Don't be cheap. Using third party app vendor is risky. This is why I like walled garden...safe and secured.


    Not all apps and developers have their apps in the AppStore.  Some apps are crippled because of Apple's sandbox requirements, and therefore, offer the full-featured app at the developer site.  A perfect example is the very popular, GraphicConverter.  The App Store version is crippled due to Apple's requirements, so most buy the full-featured version directly from the developer.  From the developer's site:

     

    The Mac App Store version has some restrictions due the Apple Sandboxing:


    • no ECW import

    • no mrSID import

    • no PhotoCD import

    • no Next/Previous/Save & Next in the image window

    • no Split in the Save As dialog

    • no access to the complete filesystem in the browser - you have to add folder with drag & drop

    • no access to the dropbox, copy, skidrive, clouddrive folder

    • no support for Apple Remote

    • no access to the photostream

    • only support of Apple Mail to e-mail images

     

    Now why would anyone buy the App Store version of GraphicConverter with these restrictions?  Sound Studio is another app that has restrictions in the App Store version.  I believe the developer had to remove MP3 support in the App Store version.  So in this instance, there could be a chance that the developer site could be taken over and the software tainted with a trojan.  But this is an example as to why the App Store isn't always the best choice for software, and sometimes an app is not available in the App Store.  So don't think the "walled garden" is the best place to shop for apps.

Sign In or Register to comment.