Virus-like 'WireLurker' malware targets Apple Mac and iOS devices

A new and 'unprecedented' malware family has been targeting Apple devices much like a traditional computer virus, and is thought to have infected up to 350,000 machines to date.

Apple blacklists 'iWorm' malware which infected 17,000 Macs
Apple blacklists 'iWorm' malware which infected 17,000 Macs

In a new report published today, Palo Alto Networks' Unit 42 research team reveals that ‘WireLurker' acts like a computer virus by infecting and repackaging applications on a third-party Mac app store, before spreading to iOS when a mobile device is paired to the desktop via USB.

The malware first targets 64-bit Mac OS X machines through the third-party Maiyadi App Store, which is popular in China for ‘enterprise provisioning', where businesses venture outside Apple's official Mac App Store to download bespoke enterprise software.

Researchers say that WireLurker has so far compromised 467 OS X applications on Maiyadi, with these applications having been downloaded 356,104 times.

Having downloaded one of the ‘trojanised' or ‘repackaged' applications, Palo Alto Networks says that the malware then lies in wait for the user to pair their Apple desktop to their iOS device (iPhone, iPad) via USB, at which point the downloaded third-party or automatically-generated malicious app (through binary file replacement) can be installed onto the mobile device, irrespective of whether it is jailbroken or not.

Jailbroken iOS devices are often most at risk; by jailbreaking, the operating system struggles to handle the new software - resulting in unexpected app behaviour - and these apps are typically more vulnerable to malware infections.

And although there have been similar type of attacks on non-jailbroken devices, Palo Alto says that WireLurker uses a different attack method.

“This malware combines a number of techniques to successfully realise a new breed of threat to all iOS devices. WireLurker exhibits complex code structure, multiple component versions, file hiding, code obfuscation and customised encryption to thwart anti-reversing,” reads the report's executive summary.

“WireLurker is unlike anything we've ever seen in terms of Apple iOS and OS X malware. The techniques in use suggest that bad actors are getting more sophisticated when it comes to exploiting some of the world's best-known desktop and mobile platforms,” said Ryan Olson, intelligence director of the Unit 42 group, in a statement.

“As such we have provided full protection to Palo Alto Networks customers and published a detailed report so others can assess the risk and take appropriate measures to protect themselves.”

Meanwhile, Eldar Tuvey, the CEO of mobile security firm Wandera, added in an email to SCMagazineUK.com that the malware family is evidence that – contrary to market perception – Apple is not immune from cyber-criminal attacks.

“The WireLurker malware outbreak is another example of how Apple is not immune to cyber-crime. While large-scale attacks on Apple devices are gaining momentum, the public should not take for granted the less publicised threats to their mobile devices that are occurring daily.  We are protecting customers from WireLurker and have seen three mining companies affected so far. Our multi-level security has identified and remediated the threat and we are keeping careful watch for new variants.”

There has been much speculation about the threat actor behind this new strain of malware, with some pointing the finger at the Chinese government, which was recently blamed for last month's man-in-the-middle (MiTM) attacks against local Apple iCloud users.

However, digital forensics expert Jonathan Zdziarski said on Twitter that the malware was ‘pitiful' and unlikely to come from a Chinese government who are ‘smart' when it comes to cyber-security.

“This is the most pitiful malware kit I've seen in a long time. [It] would be quite sad if it was from government. China is smarter,” he said.

In his analysis of the malware, he said that WireLurker is most concerned with identifying device owners rather than stealing content or performing destructive actions. “In other words, WireLurker seems to be targeting the identities of Chinese software pirates.”