How to Check WireLurker Malware Infection on Jailbroken iOS Device
How to Check WireLurker Malware Infection on Jailbroken iOS Device

WireLurker malware has been recently found to infect both jailbroken and non-jailbroken devices when connected to an infected Mac via USB.

Meanwhile, Apple has issued a public statement on WireLurker stating that it will be blocking all those apps that are found to be the source of this malware.

The malware propagation through infected systems in China was first reported by The New York Times, wherein the hacker who is controlling this malware could gain unauthorised access to the victim's personal information including iMessage and contact information.

In addition, the malware may also be used to share this info with third-party servers for malicious use.

The original source of the infection has been traced back to Maiyadi App Store, a third-party Mac apps store in China, which has been the source for 467 infected Mac OS X apps that have been downloaded 356,104 times in the past six months.

According to a recent research work published by Palo Alto networks the malware has been infecting both Macs and iOS devices over the course of six months in China, using the same infection method as a regular computer virus.

Here are some excerpts from the research paper work published by Palo Alto Networks that reveal the working principle of this malware:

WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken. This is the reason we call it "wire lurker". Researchers have demonstrated similar methods to attack non-jailbroken devices before; however, this malware combines a number of techniques to successfully realize a new brand of threat to all iOS devices.

WireLurker exhibits complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing. In this whitepaper, we explain how WireLurker is delivered, the details of its malware progression, and specifics on its operation.

Users with jailbroken iOS devices can check for WireLurker malware infection in just a few simple steps, courtesy of Reddit user pod5g:

  • Open iFile or SSH on your iOS device.
  • Navigate to /Library/MobileSubstrate/DynamicLibraries
  • Look for a file called sfbase.dylib. And if the file is present then your device may be infected or else you have nothing to worry about.

Those who are yet to jailbreak their devices on iOS 8 can check out our step-by-step guides for Windows and Mac posted here.