The security firm Palo Alto Networks says it has identified a strain of Apple-attacking malware called WireLurker, the first it’s seen that installs third-party applications on non-jailbroken iOS devices through OS X, using USB connections and enterprise provisioning techniques. These various methods have been seen before, but not in combination like this.
The malware, which seems to be specific to China, infects OS X-running desktops, then looks out for iPhones and iPads that are connected to the desktop via USB. iOS devices are generally way more vulnerable when they’ve been “jailbroken” — the iOS equivalent of rooting – but Palo Alto Networks says WireLurker attacks non-jailbroken devices as well. The malicious iOS apps can steal data from the devices they’re on.
According to Palo Alto Networks researcher Claud Xiao, WireLurker was found lurking in 467 OS X applications in a Chinese third-party app store called Maiyadi, and it “may have impacted hundreds of thousands of users.” An employee of Chinese web communications giant Tencent first spotted it in the wild on his Mac and iPhone in June, though it seems to have been around since at least April. Others then reported the same thing on various forum threads.
[company]Apple[/company]’s enterprise provisioning techniques, which bypass some of the usual iOS App Store restrictions, have been abused since at least early 2013 in order to install pirated apps on non-jailbroken devices. Here’s a taste of how Xiao describes what happens in the Palo Alto Networks whitepaper, published Wednesday:
For a non-jailbroken iOS device, WireLurker simply installs iOS applications that it downloads, leveraging iTunes protocols implemented by the libimobiledevice library. For a jailbroken iOS device, WireLurker backs up specific applications from the device to the Mac computer and trojanizes/repackages both backed up and additional downloaded applications with a malicious binary file. These altered iOS applications are then installed to the device through the same iTunes protocols noted above.
Xiao wrote that WireLurker steals device information as well as iMessages and address books, and sends it off to a distant server. However, he said, “the ultimate goal of the WireLurker attacks is not completely clear.”
“It’s clear the tool set is still undergoing active development and we believe WireLurker has not yet revealed its full functionality,” he added.
Obviously Palo Alto Networks has products to sell, and Xiao recommended some of them for combatting WireLurker. More generically, though, the advice comes down to using mobile and desktop security applications, keeping signatures up to date, not accepting strange enterprise provisioning profiles, not attaching iOS devices to strange computers or chargers, not jailbreaking, and staying the heck away from third-party app stores.
UPDATE (8.40am PT): Apple says it has now “blocked” the offending apps.