Incident Response, Malware, TDR

Apple addresses OS X, iOS WireLurker malware threat, C&C goes offline

The command-and-control server for WireLurker – a new family of malware targeting OS X and iOS systems – has been taken offline and a legitimate certificate that enabled non-jailbroken iOS devices to be infected has been revoked by Apple, Ryan Olson, intelligence director with Palo Alto Networks' Unit 42, told on Thursday.

“We are aware of malicious software available from a download site aimed at users in China, and we've blocked the identified apps to prevent them from launching,” according to an Apple statement emailed to on Thursday.

The download site mentioned in the statement is Maiyadi App Store, a third-party OS X and and iOS application store in China, according to a Palo Alto Networks research paper.

More than 450 apps trojanized by WireLurker were uploaded to the store between April 30 and June 11, and were downloaded more than 350,000 times as of mid-October, the paper indicates, adding that the top downloaded malicious apps include The Sims 3, International Snooker 2012, Pro Evolution Soccer 2014, Bejeweled 3 and Angry Birds.

In a Thursday email correspondence, Patrick Wardle, director of research at Synack, told that Apple released a new XProtect signature that will prevent the trojanized apps infecting users with WireLurker from launching, but he added that it does not help with existing infections.

“Worse, the attackers could change a single bit of their malware, and it would no longer be detected, since the hash would change,” Wardle said. “So yes, Apple does prevent the exact original trojanized apps from running, but it's far from a comprehensive solution. Users can easily get infected by new trojanized apps. To be fair though, users should realize it's a bad idea to be downloading [and] running apps from untrusted sources.”

WireLurker was first observed infecting OS X systems when users would download one of the aforementioned trojanized apps, Olson said, adding the malware is persistent. Next, WireLurker would compromise iOS devices that connected to the infected OS X system via USB.

For jailbroken iOS devices, WireLurker looked for certain popular iOS apps on the device and repackaged them with malware, Olson said. When one of those apps was next launched, the iOS device would be successfully infected, enabling exfiltration of information, such as phone numbers.

Non-jailbroken iOS devices were able to be compromised because the attackers somehow obtained a legitimate certificate – it has now been revoked – meant for use in Apple's enterprise provisioning feature, which essentially assists organizations in distributing their own apps outside of the App Store, Olson said.

WireLurker was observed downloading a comic reader to non-jailbroken iOS devices that was signed by the certificate, Olson said. If opened, all the user had to do is accept the request to open a third-party application and they would then be infected.

Palo Alto Networks was unable to glean a clear motive for the attacks, according to the research paper, but the threat serves as something of a beta infection infrastructure for Apple systems. “For WireLurker, I wouldn't be too concerned,” Olson said. “I'd be concerned about the next attack.”

Wardle agreed, explaining that because WireLurker does not appear to self-propagate or have any worm-like characteristics, the only way an OS X computer is likely to be infected is by downloading one of the apps from the Maiyadi App Store. He added that iOS devices may still be infected by connecting via USB to an infected OS X computer.

“I've always said OS X malware isn't a big concern but it may be someday,” Charlie Miller, a security researcher with Twitter who gained fame for finding notable vulnerabilities in Apple products, told in a Thursday email correspondence. “I don't think that day has come yet, but stuff like this makes me think that day is coming pretty soon.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.