WireLurker: Unprecedented iOS, OS X malware hits users

Palo Alto Networks researchers have unearthed a new family of Apple OS X and iOS malware that is able to compromise even non-jailbroken iOS devices through enterprise provisioning.

It’s also the first malware family to infect installed iOS applications in a way typical for a traditional virus, and the first malware that automates the generation of malicious iOS applications through binary file replacement.

The first instance of the malware – dubbed WireLurker by the researchers – was spotted by a developer at Chinese company Tencent on June 1. In the days that followed, other users have taken to online forums to share their discovery of “the installation of strange applications and the creation of enterprise provisioning profiles on their non-jailbroken iPhones and iPads.”

“They also mentioned launch daemons found on their Mac computers, with names like ‘machook_damon’ and ‘WatchProc’. Some of these same users stated that they recently downloaded and installed applications from the Maiyadi App Store, a third party OS X and iOS application store in China,” the researchers noted.

Their investigation later revealed that almost all Mac apps uploaded to that particular online store from April 30, 2014, to June 11, 2014, were repackaged with WireLurker. 467 apps were trojanized, and were downloaded a total of 356,104 times.

The malware would arrive on the victims’ Mac machines via these downloaded trojanized apps. Once installed, it would make contact with its C&C server and request updates. It would also start “listening” for iOS devices connected to the Mac machine via USB. If the connection was detected, the malware would first ascertain whether the iOS device was jailbroken or not.

“For a non-jailbroken iOS device, WireLurker simply installs iOS applications that it downloads, leveraging iTunes protocols implemented by the libimobiledevice library,” the researchers explained in a recently released paper.

“For a jailbroken iOS device, WireLurker backs up specific applications from the device to the Mac computer and trojanizes/repackages both backed up and additional downloaded applications with a malicious binary file. These altered iOS applications are then installed to the device through the same iTunes protocols noted above.”

The malware has been upgraded several times. It was initially unable to infect iOS devices and communicated with its C&C server in plaintext.

The OS X malware’s mission is to collect information about the iOS device connected to it (serial, phone, model number; device type, user’s Apple ID, UDID, Wi-Fi address, disk usage information) and to infect it. The iOS malware’s is to collect user data (address book contents, SMSes, iMessages, Apple ID information) and send it to a server controlled by the attackers.

“WireLurker exhibits complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing,” the researchers pointed out. “This malware is under active development and its creator’s ultimate goal is not yet clear.”

While currently only Chinese users are under attack, all OS X and iOS users can benefit from this advice: avoid downloading apps from third-party stores or other untrusted sites. It’s also a good idea never to connect your iOS device to a computer you don’t trust.

And if you believe that your devices might already have been affected, you’d be wise to check the devices’ processes and files for suspicious files. Palo Alto has also made available a Python script for OS X systems to detect known malicious and suspicious files and apps that exhibit characteristics of infection.

Details about the malware, indicators of infection, remediation advice and more can be found in the company’s extensive paper (registration required).