The researchers said “the discovery of WireLurker poses a new era of malware” Rise and Spread WireLurker which has surfaced in China and is mostly being aimed at Chinese users of Apple devices was detected when a user realised that his iPhone was doing tasks it wasn’t supposed to. This malware has been doing the rounds for the past 6 months and the most surprising part – researchers still don’t know much on what this malware is supposed to do. Propagation methods Everyone who is familiar with Apple devices knows about its famous walled garden approach. This approach ensures that users are only allowed access to content regulated by Apple itself. From a security standpoint, this makes it very difficult for malware to get onto an Apple device. This has primarily been the reason for Apple products being malware resistent. This malware though, manages to decimate the walled garden. This malware not only uses unique route to get onto devices, it even created a new route for itself. WireLurker infects iOS devices via a MacBook. It gets itself downloaded onto a Macbook and then lurks in the shadows, waiting for the user to attach an iOS device to it. Once it detects an iOS device, it tries to find out if it is jailbroken or not. If it is jailbroken, WireLurker backs up the device’s apps to the Mac, where it repackages them with malware, and then installs the infected versions back on to the iOS device. If it was not jailbroken – which is the case for most iOS devices – WireLurker takes advantage of a technique created by Apple to allow businesses to install special software on their staff’s handsets and tablets. This involved placing infected apps on the device that had been signed with a bogus “enterprise certificate” – a code added to a product that is supposed to prove it comes from a trustworthy source. To ensure the device has accepted this certificate, a permissions request was made to pop up on the targeted iOS device on the user’s first attempt to run an infected app. It simply asked for permission to run the app, but if the user clicked “continue” it installed code called a “provisioning profile”, which told the iOS device it could trust any other app that came with the same enterprise certificate. “WireLurker is unlike anything we’ve ever seen in terms of Apple iOS and OS X malware,” said Ryan Olson, the company’s intelligence director. “The techniques in use suggest that bad actors are getting more sophisticated when it comes to exploiting some of the world’s best-known desktop and mobile platforms.” Third Party apps We mentioned that WireLurker was creating its own means of spreading itself. It does this by infecting other genuine app’s source codes. The apps affected include well known ones like Angry Birds. When such apps are infected, the malware is bound to spread far and wide. These infected apps are not downloaded from the Apple play store but from third-party app stores. Inquiries revealed a total of 467 Mac programs listed on the Maiyadi App Store had been compromised to include the malware, which in turn had been downloaded 356,104 times as of 16 Oct. Apple has issued a brief statement. “We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching,” it said. “As always, we recommend that users download and install software from trusted sources.” To minimise the risk of attack, we recommend to our users:
Do not download Mac apps from third-party stores Do not jailbreak iOS devices Do not connect their iOS devices to untrusted computers and accessories, either to copy information or charge the machines Do not accept requests for a new “enterprise provisioning profile” unless it comes from an authorised party, for example the employer’s IT department