What is WireLurker? Malware Attacking iPhones and iPads Through Your Mac

Malware that successfully infects Apple products is rare. On the Mac that was because criminals tended to go after the much bigger Windows market, while on the iPhone and iPad, Apple's App Store security has been exemplary.

Now however a new piece of malware has been discovered by US firm Palo Alto which infects iPhones and iPads by first infecting your computer and transferring the malware when you plug in your iOS device.

What is WireLurker?

Called WireLurker by Palo Alto Networks, this is a family of malware targeting both Mac OS X and iOS systems for the past six months.

"We believe that this malware family heralds a new era in malware attacking Apple's desktop and mobile platforms" Palo Alto said.

The "biggest in scale" attack which Palo Alto has ever seen represents a new way in which criminals are trying to crack the security of iPhones and iPads, by delivering the malware through a trusted computer.

Who is at risk?

At the moment, the malware is targeting Apple users in China. It is only affecting apps available in a Chinese third-party Mac OS X app store called the Maiyadi App Store.

Palo Alto says that in the last six months 467 infected apps were downloaded over 350,000 times, which means that hundreds of thousands of people could be at risk.

How does it work?

According to Palo Alto:

WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken.

The fact this malware infects non-jailbroken iPhones and iPads is a significant point, as until now the only pieces of malware which had been found on the iOS platform where those which infected iOS devices which had been rooted or jailbroken.

What does WireLurker do?

Once it has infected a mobile device, WireLurker can steal a variety of information such as stealing your address book or reading iMessage text messages, and regularly requests updates from the attackers command and control server.

As smartphones are now the device on which we do everything from send personal emails to carrying out online banking, the amount of sensitive information stored on them is incredible.

Add to that the fact that more and more people are using their smartphones for work, and the threat increases significantly.

The fact the malware is actively looking for updates, means the attackers will be able to remotely add new features to the malware once it is installed on a device.

What has Apple said?

Apple's statement on WireLurker says that it has snuffed out the threat:

We are aware of malicious software available from a download site aimed at users in China, and we've blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources.

Is that the end of WireLurker?

Almost certainly not. Palo Alto says that "this malware is under active development and its creator's ultimate goal is not yet clear."

What this means is that this campaign was just the first wave in what is likely to be a series of attacks against the Mac OS X and iOS platforms.

How to protect yourself against WireLurker?

The simple fact that most people are not downloading malicious apps from the Chinese Maiyadi App Store means they are not at risk.

However, as criminals begin to investigate this method of infecting iOS devices, the problem could become more widespread - but there are steps you can take to protect yourself:

• Employ an antivirus or security protection product for the Mac OS X system and keep its signatures up-to-date
• In the OS X System Preferences panel under "Security & Privacy," ensure "Allow apps downloaded from Mac App Store (or Mac App Store and identified developers)" is set
• Do not download and run Mac applications or games from any third-party app store, download site or other untrusted
• Keep the iOS version on your device up-to-date
• Do not accept any unknown enterprise provisioning profile unless an authorised, trusted party (e.g. your IT corporate help desk) explicitly instructs you to do so
• Do not pair your iOS device with untrusted or unknown computers or devices
• Avoid powering your iOS device through chargers from untrusted or unknown sources
• Similarly, avoid connecting iOS devices with untrusted or unknown accessories or computers (Mac or PC)
• Do not jailbreak your iOS device

What the experts say about WireLurker?

Michael Sutton from Zscaler:

WireLurker takes advantage of Enterprise Provisioning to install apps on the device, but when doing so users must accept a provisioning profile before apps can be installed. If the device is jailbroken, WireLurker has greater flexibility and can fully control the device.

Gavin Millard from Tenable Network Security:

Users should only ever download apps, on both desktop and mobile devices, from trusted sources and not jailbreak their iOS devices - unless they really understand, and are prepared to accept, the risks of doing so. They should also be mindful that others may not have been as diligent, so plugging devices into third party systems (such as a friend's PC) could open them up to the risk of infection.

Kevin Mahaffey from Lookout:

What's interesting here is that malware attacked a PC in order to gain access to a mobile device, not to attack the PC—yet another sign that mobile is becoming the dominant computing platform. Historically, attackers have focused their efforts on Android, given its popularity. Now, as the number of iOS devices has grown, especially in geographies where malware tends to originate, iPhones and iPads have become attractive attack targets as well.