Research site Palo Alto Networks published information about an iOS malware family they are dubbing WireLurker. According to their research, the malware has been targeting Mac OS and iOS systems for at least the past six months through the Maiyadi App Store, a third-party app store in China.
Claud Xiao of Palo Alto Networks posts some interesting details about WireLurker:
- Of known malware families distributed through trojanized / repackaged OS X applications, it is the biggest in scale we have ever seen
- It is only the second known malware family that attacks iOS devices through OS X via USB
- It is the first malware to automate generation of malicious iOS applications, through binary file replacement
- It is the first known malware that can infect installed iOS applications similar to a traditional virus
- It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning
Xiao goes on to note that WireLurker was present in 467 OS X applications which were downloaded over 356,000 times. Of particular note is the fact that devices don’t need to be jailbroken in order to be infected. Jailbreaking is a somewhat common practice among users who wish to install iOS apps they have obtained outside of the official Apple App Store. Because WireLurker doesn’t require a jailbroken device to infect, and infects iOS devices through OS X applications when connected by USB, it has the potential to infect a much wider user base.
Apple responded in a statement by saying that
“We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources.”
Apple’s statement falls in line with some of the recommended actions from Palo Alto Networks in order to help protect yourself from WireLurker and other malware threats.
- Enterprises should assure their mobile device traffic is routed through a threat prevention system using a mobile security application like GlobalProtect
- Employ an antivirus or security protection product for the Mac OS X system and keep its signatures up-to-date
- In the OS X System Preferences panel under “Security & Privacy,” ensure “Allow apps downloaded from Mac App Store (or Mac App Store and identified developers)” is set
- Do not download and run Mac applications or games from any third-party app store, download site or other untrusted source
- Keep the iOS version on your device up-to-date
- Do not accept any unknown enterprise provisioning profile unless an authorized, trusted party (e.g. your IT corporate help desk) explicitly instructs you to do so
- Do not pair your iOS device with untrusted or unknown computers or devices
- Avoid powering your iOS device through chargers from untrusted or unknown sources
- Similarly, avoid connecting iOS devices with untrusted or unknown accessories or computers (Mac or PC)
- Do not jailbreak your iOS device; If you do jailbreak it, only use credible Cydia community sources and avoid the use or storage of sensitive personal information on that device
What do you think about the detection of WireLurker and how it’s infecting iOS devices. Much ado about nothing, or something to take seriously? Let us know in the comments below or on Google+, Facebook, or Twitter.