Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Feedback Friday: WireLurker Malware Targets Mac OS X, iOS – Industry Reactions

Researchers at Palo Alto Networks identified a new piece of malware designed to target Mac OS X and iOS users.

Researchers at Palo Alto Networks identified a new piece of malware designed to target Mac OS X and iOS users. The threat, called WireLurker, has potentially affected hundreds of thousands of users, almost all of them located in China. 

Cybercriminals are distributing the threat by trojanizing OS X apps hosted on third party app stores. The 467 malicious apps uploaded to the Maiyadi App Store have been downloaded more than 350,000 times.

Feedback Friday: WireLurker Malware

Once it infects a Mac, the malware downloads other malicious iOS application to the infected machine. When victims connect their iPads, iPhones or iPods via USB to the infected device, WireLurker installs the downloaded iOS applications onto them. The mobile component of WireLurker is capable of stealing information from infected devices.

The latest version of WireLurker is interesting because it can infect not only jailbroken devices, but also ones that haven’t been jailbroken. The threat can install the malicious iOS apps on non-jailbroken devices by signing them with a stolen code signing certificate.

Shortly after Palo Alto Networks disclosed details on WireLurker, researchers identified an older variant of the threat apparently designed to target computers running Microsoft Windows. 

The command and control servers used by the malware are currently offline and Apple has revoked the certificate used by the malware authors. However, experts believe WireLurker once again shows that Apple devices are not immune to malware.

And the Feedback Begins…

Ian Amit, Vice President of ZeroFOX:

“It’s interesting to see how malware is getting more holistic from an attack vector approach, utilizing technical vulnerabilities and elements, as well as human ones. This isn’t the first malicious code that is designed to “hop” between connected platforms, examples date back to variants such as Stuxnet that infected Windows based computers, which in turn affected Siemens PLCs. This is an interesting turn of events, as Apple’s iPhone is commonly considered a safe platform as long as it isn’t jailbroken.


Beyond the already familiar abuse of social interactions that allow the malware to run in the first place – essentially, having the victim ‘knowingly’ install it, WireLurker also abuses the trust between the victim’s PC and the iPhone connected to it, which grants it full access to the phone and it’s applications – apps can be backed up over USB, then restored to the phone, after the malware has modified them and inserted a backdoor.”

Greg Martin, CTO of ThreatStream:

“Wirelurker is being distributed via a 3rd party app-store called Maiyadi that is out of control of Apple.


The danger with third-party app stores such as Maiyadi is that Apple and Google have no vetting control of what gets added to 3rd party app stores, severely limiting their ability to protect end-users from running malicious apps. In-fact nearly all cases of known malware for the iPhones have originated from 3rd party app stores such as Cydia (App store for jailbroken iPhones) and now new ones like Maiyadi.

Monitoring these 3rd party app stores for malicious apps will become an opportunity for cyber security companies to help provide intelligence back to Apple and Google on what’s happening outside of their control.”

Steve Bell, security consultant, BullGuard:

“The really interesting thing about the WireLurker malware is the scale of the infection and how it is promulgated.  Because of the proprietary nature of Apple devices and the fact that apps are checked for malware before they go into the Apple store users have generally been protected in the past.


However, with an estimated 350,000 downloads of infected apps and the fact that the malware can also transfer via a USB port signals a serious notching up of hacker’s endeavours to hit Apple devices. In the US Apple users tend to stick to the Apple store which is wise. WireLurker shows precisely the danger of downloading apps from unregulated third party stores.


However, the use of a USB port to also transfer malware, while obvious and simple, could be potentially devastating. Without wishing to be alarmist, USB ports are an obvious vulnerability, and it’s not beyond the realms of possibility that hackers might use this to insert Trojans designed to lie dormant for a period. With Apple now putting its considerable weight behind Apple Pay, hackers have serious motivation.”

Carl Wright, General Manager for TrapX Security:

“What has enabled the success of the creators of WireLurker is the concept of transitive trust. This two-way approved relationship automatically created between parties has long been an Achilles heel to security professionals trying to ensure the validity of transactions on a more or less case by case bases.


This recent hack continues to illustrate the trade-off the end users must consider between that of maintaining security of the end point device and innovative new applications that may not be developed or certified by Apple.


In the end, the price may indeed be too extreme for corporations who desire to take advantage of end user BYOD.”

Jared DeMott, Security Researcher with Bromium Labs:

 “People still seem to think malware on the Mac is less likely than on Windows.  If this is true, it’s simply because attackers are less interested in Mac.  The relative attack surface is just as big (similar chance to find and exploit bugs) as on Windows or any other modern operating system.


In fact, my suspicion is that Macs really are exploited more than people realize.  But it’s either typically by better funded attackers, who know how to stay hidden, or because Apple in general does a better job at managing bad security press when compared to Windows.


This particular malware is distributed not in the form of an exploit, but in the form of pirated software.  China in particular, is known to run a lot of illegal software.  Thus, it’s not surprising the Chinese took the brunt of this round, considering the deployment mechanism.”

Mark Parker, Senior Product Manager, iSheriff:

“Wirelurker introduces a new threat vector in a place that was thought to be secure. The concept of using trojan software to download new threats is not new, that is something that has been in practice for many years. However, up to this point the software on iOS devices has been considered secure since the only software on the device would come through the heavily vetted Apple App Store.


By using the workstation’s USB connection as an avenue to surreptitiously install the Trojan applications, the protection afforded by the App Store is leap frogged in an effective manner. Since it has shown success, there is sure to be more advancement and copycats. The introduction of the mobile phone as a method of payment will increase the potential for attacks. Wherever there is money, there is always going to be Malware built to try to get access to that money.


This approach of using the workstation USB connection to another device could also be used in other “closed system” environments. Examples of this could be physical security system maintenance, or point-of-sale terminals that can only be maintained via a workstation USB connection, or similar method. It is always important to ensure that all workstations, even those of workers off-site, are protected from endpoint, web, and email based attacks at all times. The need for security doesn’t stop when the device leaves the network, especially in cases of workers that will be connecting to these types of devices.”

Kenneth Bechtel, Malware Research Analyst, Tenable Network Security:

 “With a resurgent BlackEnergy now targeting network routers and WireLurker spreading like wildfire across China’s iOS devices, this has been an interesting week to be in the malware business. But the thing to keep in mind is that despite the hype, neither of these threats herald an impending Internet apocalypse, though both deserve to be taken seriously.


WireLurker infects iOS through compromised OS X machines. Following successful malware trends, it is modular and updateable, having 467 applications hosted on the Maiyadi App Store (a third-party store hosted in China). This threat can now infect non-jail broken iOS devices simply by connecting an iPhone/ iPad/ iPod to a computer to sync the calendar or contacts list. This concept is very frightening to many users, and means it won’t be long before it spreads to countries outside of China.”

Michael Sutton, VP of Security Research for Zscaler:

 “We keep waiting for mobile malware to eclipse traditional PC malware but it turns out that we’re waiting for the wrong thing. We’ll never see the drive by downloads and fast spreading device to device malware that we’ve become accustomed to in the Windows world, due to the differing architectures of Windows vs Mobile operating systems. That doesn’t however mean that malware on mobile devices isn’t a concern, it just means that malware is being forced to evolve and adapt to a more restrictive environment.


This is especially true for iOS devices and WireLurker represents a new advance on that front. Whether or not Apple designed their Walled Garden for security purposes or not, the fact that iOS apps must primarily be installed only from the iOS App Store, where they can first be vetted by Apple, has made malicious apps on non-jailbroken devices a rare commodity. WireLurker took advantage of an exception to this rule.


WireLurker abuses the fact that there is another way to get apps onto non-jailbroken devices. Apple allows enterprise development teams to leverage Enterprise Provisioning as a means to push homegrown apps to employees without the hassle of hosting them in the App Store. The process is still restricted and requires the use of an Apple supplied code signing certificate and provisioning profiles pushed to devices, but it does provide an alternative. The authors of WireLurker appear to have stolen a legitimate code signing certificate from Hunan Langxiong Advertising Decoration Engineering Co. Ltd., in order to pushed apps to non-jailbroken devices via provisioning profiles.”

Steve Hultquist, chief evangelist at RedSeal:

“Trust. It’s the first requirement for security, but seldom considered by consumers. In the case of WireLurker, existing trust between an iOS device and a Mac becomes the surrogate for malware to infect the devices. When the Mac user mistakenly places trust in a third-party app site to only offer uninfected applications for download, it opens the door to infection of the Mac and then the iOS devices.


This is another example of the sophistication and automation of attacks that are growing inexorably into the future. Attackers are both more subtle and more capable than ever before. This attack resulted in over a quarter of a million infected downloads, in all likelihood impacting thousands of people and devices, all because of misplaced trust.


This attack and others that will follow underscore the need for proactive security efforts, from application design-for-security to trust architectures and automated analysis of potential access paths. Without automated proactive prevention, attacks will continue to grow in volume and impact. Enterprises need to take notice, since these consumer attacks are merely the ice above the water. The enterprise and governmental attacks are the bulk under the sea.”

Until Next Friday…Have a Great Weekend!

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.