WireLurker malware is threatening Apple mobile devices

Security Experts at Palo Alto Networks have discovered a new variant of malware dubbed WireLurker that is infecting Apple mobile devices.

A new strain of malware dubbed WireLurker  is threatening Apple users, the malicious code is able to infect Apple iPhone and iPad syphoning user’data.

The malware was discovered for the first time by experts at Palo Alto Networks that revealed it exhibited behavior that had never been seen before malware targeting Apple mobile devices. The company estimates several hundred thousand Apple users have been already infected by WireLurker.

The malware in a first stage infects a host (desktop or laptop) which downloaded the malicious software from the web, then it waits for an Apple device (i.e. iPhone or iPad) to be connected via USB.

Once the Apple device is connected to the infected PC, WireLurker scans it analyzing the installed applications, then if a target app is present, it copies the app from the mobile device to the host, infects it and then install it again on the mobile unit.

The experts discovered that WireLurker only collect data from the compromised device, but, to date, no other malicious activity has been observed. The following graph shows detections of the WireLurker malware made by expert at Kaspersky Lab on OSX.

 

The experts at Palo Alto Networks expressed their concerns in the official blog post on the WireLurker malware:

“We believe that this malware family heralds a new era in malware attacking Apple’s desktop and mobile platforms based on the following characteristics:”

• Of known malware families distributed through trojanized / repackaged OS X applications, it is the biggest in scale we have ever seen
• It is only the second known malware family that attacks iOS devices through OS X via USB
• It is the first malware to automate generation of malicious iOS applications, through binary file replacement
• It is the first known malware that can infect installed iOS applications similar to a traditional virus
• It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning

Apple mobile devices are becoming a privileged target of cybercriminals due to the large number of devices worldwide and the lack of security measured installed by the Apple users.

The infection was spread initially through several hundreds apps offered via Maiyadi, a third-party Chinese software website .

“WireLurker was used to trojanize 467 OS X applications on the Maiyadi App Store, a third-party Mac application store in China. In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users.” states the post.

WireLurker primarily targets Apple devices that have been “jailbroken” and that result vulnerable because users had disabled some security feature to run certain apps.

Experts also detected a strain of WireLurker that targets iPhones and carries an Apple digital certificate, but that version needs user approval to be executed.

The instance of WireLurker detected also targets popular Chinese apps like Taobao, Alipay or Meitu.

Apple has blocked the apps that could be used by threat actor to propagate the infection.

Pierluigi Paganini

Security Affairs –  (WireLurker, malware)