Wirelurker Hits iOS

Named the most powerful brand of 2014 by Forbes Magazine, Apple Inc. Apple Inc. is valued at $124.2 billion to beat out Microsoft and Google, which took second and third slots respectively. Though this is a prestigious title, it comes with a price, as being the most powerful brand makes Apple a lucrative target for hackers.

Network security company Palo Alto Networks, Inc. has discovered new malware that’s targeting computers running Mac operating systems, as well as iOS devices. In a whitepaper entitled WireLurker: A New Era in iOS and OS X Malware, the security firm described it as a malware family distributed through trojanized OS X applications that is able to attack iOS devices via a USB connection with the computer running OS X.

Palo Alto Networks stated that it is the largest scaled it has ever seen, the first malware to automate generations of malicious iOS apps through binary file replacement, and the first known malware that can infect installed iOS apps akin to how traditional computer viruses infect programs in a computer.

But what’s most troubling about WireLurker is that it’s the first malware able to install third-party applications on non-jailbroken iOS devices through enterprise provisioning. The malware has been identified to have originated in China, where it was used to trojanize 467 OS X applications on the Chinese third-party app store Maiyadi App Store. In the past six months, the 467 infected applications were downloaded over 356, 104 times and may have already affected hundreds of thousands of Mac and iOS users.

What WireLurker wants

When WireLurker is installed, it patiently waits for the user to connect an iOS device using a USB cable. It then infects the iOS device and quietly monitors its activity, then installs third-party apps or automatically generated malicious apps, regardless if the device is jailbroken or not.

The malware abuses the trusted pairing relationship between the Mac and iOS device, thus the name ‘wire lurker.’ It is capable of stealing a range of information from the iOS device such as  its serial number, phone number, iTunes store identifier, and other identifying information, which it then sent to a remote server.

The malware also regularly requests updates from the attackers’ command and control server, and it is believed to be in active development. Researchers have yet to determine  WireLurker’s ultimate goal, as all it does for now is collect identifiers from the iOS devices, like it merely wants to know who the owner of the device is.

Is your Mac infected?

If you want to know if your Mac has been infected with WireLurker, Palo Alto Networks offers the WireLurker Detector here.

To use, open the Terminal application in your OS X system;

Execute this command to download the script:

curl -O https://raw.githubusercontent.com/PaloAltoNetworks-BD/WireLurkerDetector/master/WireLurkerDetectorOSX.py

Run the script in the Terminal:

python WireLurkerDetectorOSX.py

Read the output messages and detection result.

If you encounter any issue on the code and/or the result, you can create an issue here: https://github.com/PaloAltoNetworks-BD/WireLurkerDetector/issues

Get rid of WireLurker

The solution for getting rid of WireLurker all together is to delete the suspicious apps from your iOS device, and on Mac. To determine which apps are indeed suspicious, check whether the file “/Library/MobileSubstrate/DynamicLibraries/sfbase.dylib” exists. If it does, you need to open a terminal connection and manually delete it.

Update: Since the writing of this article, Apple has released a statement that it has blocked the infectious apps.

3 tips on how to keep safe

Though WireLurker is able to attack non-jailbroken iOS devices, as a general rule, it is best not to have your iOS device jailbroken as it weakens the overall security of your device. Also, jailbroken iOS devices run afc2, which is an insecure service allowing the root file system to access the device, making it more vulnerable to hackers and malware.

It is quite enticing to jailbreak your iOS device, as it gives you access to third-party app stores that offer paid, premium apps for free, but these apps often come with malware and this is where the problem begins.

Even if your Mac or iOS device is not infected by WireLurker, you can’t be too sure if your friend, classmate, officemate, boss, school or office computers aren’t infected by the malware. So as a precaution, do not trust other devices to connect to your network or your computer, and do not connect your device to other’s computer. Only trust your own device.

photo credit: illuminaut via photopin cc