New Malware for Mac OS X and iOS Combined Into Single Attack
[UPDATE] Researchers at Palo Alto Networks have uncovered a new piece of malware designed to target devices running Apple’s OS X and iOS operating systems, and may have been installed by hundreds of thousands of users.
The malware, which they have dubbed “WireLurker,” can infect even non-jailbroken iOS devices through trojanized and repackaged OS X applications, and is the first known malware family that can infect installed iOS applications similar to how a traditional virus would, the network security firm explained.
Currently, the iOS component of WireLurker is only spread through an infected Mac OS X computer via USB and the malware appears to be distributed mostly in China through a popular Apple-related software website called Maiyadi. Cybercriminals trojanized most of the applications uploaded to the Maiyadi App Store between April 30 and June 11, the researchers said.
As of Oct. 16, stats reveal that 467 malicious apps had been downloaded 356,104 times, with almost half of the total number of downloads attributed to trojanized versions of popular games such as The Sims 3, International Snooker 2012, Pro Evolution Soccer 2014, Bejeweled 3, Angry Birds, Spider 3, NBA 2K13, GRID, Battlefield: Bad Company 2, and Two Worlds II.
Once it finds itself on a computer, WireLurker drops malicious executables, dynamic libraries and configuration files. The downloaded pirated apps work normally to avoid raising any suspicion, the researchers said.
Some of the executable files dropped by the malware are loaded by OS X as launch daemons. There are daemons for command and control (C&C) communications, for downloading malicious iOS applications signed with enterprise certificates, and for attacking iOS devices connected to the infected computer via USB.
“The C2 domain (www.comeinbaby.com) stopped resolving sometime earlier today so the malware won’t be able to phone home any longer,” Ryan Olson, Intelligence Director at Palo Alto Networks, told SecurityWeek on Thursday afternoon.
In case a non-jailbroken device is detected, the malware simply installs the downloaded iOS applications. WireLurker abuses iTunes protocols implemented by the libimobiledevice library to install the malicious apps onto iPhones and iPads.
On jailbroken devices, the malware is capable of injecting code into system applications, which allows it to steal contact names, phone numbers and Apple IDs, and send them back to the C&C server.
Users in China first reported seeing this malware on June 1, but Palo Alto said the first version of WireLurker appeared in late April. Researchers have spotted a total of three versions, each of them more advanced than its predecessor.
From May 2014, through September 28, 2014, five different WireLurker files (representing three different versions) were submitted to VirusTotal, and none of the 55 detection engines used by VirusTotal flagged samples as malware, the security firm said.
The first version was not capable of downloading and installing iOS apps to connected devices, and communicated with the C&C without encrypting traffic. In the second variant, the distribution of which began on May 7, the malware developers had already added functionality for downloading and installing iOS apps, but only for jailbroken devices.
The third version, released sometime before August, comes with several improvements. It can install apps on both jailbroken and non-jailbroken devices and it uses custom encryption to communicate with its C&C server.
While malware designed to target Apple devices is far from being as widespread as Windows threats, cybercriminals are clearly not neglecting the OS X and iOS platforms. A perfect example is the recently uncovered Mac.BackDoor.iWorm, which is said to have infected thousands of devices running Mac OS X.
However, Palo Alto Networks has pointed out that of all the malware families distributed through trojanized or repackaged OS X apps, WireLurker is the biggest in scale. The threat is also the first known piece of malware to automate the generation of malicious iOS programs via binary file replacement, and the first to infect iOS applications similar to a traditional virus.
Researchers say WireLurker is also the first piece of malware to install third-party apps on non-jailbroken devices through enterprise provisioning, but they haven’t been able to determine its creators’ ultimate goal.
Palo Alto Networks wrote a Python script for Mac OS X systems which can detect known malicious and suspicious files, as well as applications that exhibit characteristics of a WireLurker infection. The script is available at Github at no charge.
If any WireLurker related files are found on a Mac OS X system, they suggest inspection of all iOS devices that have connected to that computer.
UPDATE: The authors of WireLurker have signed the malicious iOS apps with enterprise certificates so that they can be installed on non-jailbroken devices. According to Palo Alto Networks, Apple has taken steps to block the malware by revoking the certificates used to sign the applications, and the Command and Control system was shut down.