Apple-Pestering WireLurker Banished for Now
Nov 7, 2014 10:45 AM PT
Palo Alto Networks on Wednesday reported that more than 400 apps infected with a malicious program it calls "WireLurker" have been downloaded 356,104 times by Chinese Mac owners from Maiyadi, an online app store unaffiliated with Apple.
The malware does no harm to the Macs it infects but when the computer connects via USB to an iOS device -- an iPhone or iPad -- it delivers its malicious payload.
"The Mac component only appears to be there to infect the iOS device," said Ryan Olson, intelligence director of Palo Alto Networks' Unit 42.
"It doesn't steal any information from the Mac. It seems to be there as a conduit to get to the iPhone," he told TechNewsWorld.
Although using a computer as a backdoor into a mobile phone has appeared in the Windows/Android world in the past, it's a new wrinkle for OS X/iOS devices.
"We were surprised by this," Olson said. "This is a brand new technique. We haven't seen it before in Apple."
Jumping the Pond
Typically, an app unapproved by Apple -- like the one infected with WireLurker -- can be installed only on jailbroken iOS devices -- those altered by users to disable Apple's security measures. However, WireLurker can infect even non-jailbroken phones.
"iOS is a very secure, sandboxed environment, but what they've shown is they can -- through a specific sequence of events -- get an infected application onto an iOS device," Intego CEO Jeff Erwin told TechNewsWorld.
The malware appears to be more a proof of concept than a high risk to users, he maintained.
"In order for someone to be infected with this piece of malware, they'd have to ignore all the security built into the Mac and the iOS device," Erwin explained. "It's like having 15 deadbolts on the front door of your house, but when you leave for work, you leave the door open."
Once the malware is on an iPhone or iPad, it steals the device owner's user ID, the device's ID, all contacts in the address book, and all user IDs of anyone who has communicated with the device through Apple's messaging program, iMessage.
Apple has been working for a long time on integrating OS X and iOS, and with their most recent releases, it has made great strides in doing so. However, while integration makes things easier for users, it also can lead to problems like WireLurker.
"As long as we have that kind of talking between operating systems, this sort of cross-platform malware is definitely a possibillity," Lysa Myers, a security researcher at Eset, told TechNewsWorld.
Apple has addressed the problem following Palo Alto's publication of its findings.
It is aware of malicious software available from a download site aimed at users in China, the company said in a statement, adding that it has blocked the identified apps to prevent them from launching. It also advised users to download and install software only from trusted sources.
Threat Shut Down
Although potentially thousands of Chinese iPhones are infected with WireLurker, chances are low that it could spread to the United States.
"It looks like they were really targeting Chinese users exclusively," Olson said.
However, the malware might already be on U.S. soil.
"It's probably already happened," said Michael Shaulov, CEO of Lacoon Mobile Security.
"In the United States, you have a population of Chinese-speaking individuals. They access application stores in China," he told TechNewsWorld. "The Internet is for everyone from everywhere. As long as you know the Chinese language, you will go to Chinese sites to download apps."
Apple's actions and the scuttling of the server that had been issuing commands and controlling the software have removed any threats posed by the malware, however.
"This attack is over," Olson said.
However, it's "totally possible" that the same actors or someone else could deploy a new attack later on, he added.
"We expect these tactics to be used in future pieces of malware," Olson said, "but for now, this version of WireLurker looks like it has been shut down."