Security vendor Palo Alto Networks has released a research paper [registration required] describing WireLurker, a new family of malware using OS X applications to infect iOS devices.
First discovered in China, WireLurker is being distributed by repackaging third-party OS X applications and making them available from non-Apple app stores (and potentially other download sites).
When one of those Trojanised applications is run, it installs the OS X component of WireLurker, which in turn updates itself, downloads the iOS components, and then waits for an iOS device to be connected via USB.
|
|
If it has, it backs up certain apps (at this stage it targets a small number of apps aimed at the China market, such as the official client apps for Taobao and Alipay) from the device to the Mac, repackages them with malware, and then restores the modified apps along with other malicious apps downloaded from the WireLurker command and control server.
WireLurker is then able to extract all contact names, phone numbers and Apple IDs from the device, which it forwards to its server.
For non-jailbroken devices, WireLurker just installs the malicious iOS apps it has downloaded from its server, exploiting the facilities Apple provides for enterprise provisioning.
According to the Palo Alto report, WireLurker uses multiple methods to ensure that it keeps running in the background so it can detect when an iOS device is connected.
"WireLurker is now the only known active, non-jailbroken malware threat putting over 800 million iOS devices at risk," said the report.
So what does Palo Alto recommend to avoid falling foul of WireLurker?
• Enterprises should assure their mobile device traffic is routed through a threat prevention system using a mobile security application like GlobalProtect
• Employ an antivirus or security protection product for the Mac OS X system and keep its signatures up-to-date
• In the OS X System Preferences panel under “Security & Privacy”, ensure “Allow apps downloaded from Mac App Store (or Mac App Store and identified developers)” is set
• Do not download and run Mac applications or games from any third-party app store, download site or other untrusted source
• Keep the iOS version on your device up-to-date
• Do not accept any unknown enterprise provisioning profile unless an authorized, trusted party (e.g. your IT corporate help desk) explicitly instructs you to do so
• Do not pair your iOS device with untrusted or unknown computers or devices
• Avoid powering your iOS device through chargers from untrusted or unknown sources
• Similarly, avoid connecting iOS devices with untrusted or unknown accessories or computers (Mac or PC)
• Do not jailbreak your iOS device; If you do jailbreak it, only use credible Cydia community sources and avoid the use or storage of sensitive personal information on that device
The company has made available a Python script to help detect signs of WireLurker on a Mac.
"WireLurker is unlike anything we've ever seen in terms of Apple iOS and OS X malware," said Palo Alto Networks' Unit 42 intelligence director Ryan Olsen.
"The techniques in use suggest that bad actors are getting more sophisticated when it comes to exploiting some of the world's best-known desktop and mobile platforms."
