Alleged Creators of WireLurker Malware Arrested in China

Three individuals suspected of being involved in the creation and distribution of a recently uncovered piece of malware referred to as “WireLurker” have been arrested and charged, the Beijing Municipal Bureau of Public Security said on Friday.

The suspects, identified by their surnames as Wang, Lee and Chen, were taken into custody on Thursday based on information provided to law enforcement authorities by the China-based security company Qihoo 360 Technology.

WireLurker, a threat designed to target devices running Mac OS X, iOS and Windows, was recently uncovered by Palo Alto Networks. The network security firm’s researchers identified a total of 467 malicious OS X apps which by mid-October had been downloaded by Chinese users over 350,000 times from an app store called Maiyadi. Cybercriminals distributed the threat by packaging it with popular games and applications.

After the malicious applications are installed on a Mac OS X device, the malware waits for victims to connect their iPhones or iPads to the infected machine via USB. WireLurker then installs malicious iOS applications capable of stealing sensitive information from infected devices. The threat could infect non-jailbroken devices since its authors signed the malicious iOS apps with enterprise certificates.

After Palo Alto Networks revealed the existence of WireLurker, Apple revoked these certificates in an effort to protect its customers. The security firm estimated that hundreds of thousands of users downloaded the malicious versions of the applications.

According to Chinese authorities, the suspects conspired to develop the malware for illegal profits. The website used to distribute the malware has been shut down, the Beijing Municipal Bureau of Public Security said in a statement published on its Sina Weibo account. Researchers have found evidence connecting the Maiyadi app store to the creators of the malware.

Initially, Palo Alto researchers only discovered the iOS and OS X versions of WireLurker, but AlienVault’s Jaime Blasco also identified a less successful Windows version of the threat.

“Wirelurker introduces a new threat vector in a place that was thought to be secure. The concept of using trojan software to download new threats is not new, that is something that has been in practice for many years. However, up to this point the software on iOS devices has been considered secure since the only software on the device would come through the heavily vetted Apple App Store,” Mark Parker, senior product manager at iSheriff, told SecurityWeek.

“By using the workstation’s USB connection as an avenue to surreptitiously install the Trojan applications, the protection afforded by the App Store is leap frogged in an effective manner. Since it has shown success, there is sure to be more advancement and copycats.”

Related: Feedback Friday: WireLurker Malware Targets Mac OS X, iOS – Industry Reactions