Security Experts:

Connect with us

Hi, what are you looking for?



Windows Version of WireLurker Malware Discovered

Researchers have identified an older variant of the recently uncovered WireLurker OS X/iOS malware which appears to have been designed to target computers running Microsoft Windows.

Researchers have identified an older variant of the recently uncovered WireLurker OS X/iOS malware which appears to have been designed to target computers running Microsoft Windows.

The Windows version of WireLurker was discovered by Jaime Blasco from AlienVault Labs, who made the connection after seeing that an executable file contained command and control (C&C) server addresses used by the malware.

According to Palo Alto Networks, early versions of WireLurker for Windows and OS X were developed in March and they were uploaded to a public cloud storage service of Baidu, Baidu YunPan, disguised as installers for pirated versions of popular iOS apps. The  Windows samples of the malware were created on March 13 on a Windows XP computer.

Researchers have identified 180 Windows applications and 67 OS X applications on the said website. However, in comparison to the 467 apps containing newer variants of WireLurker, which have been downloaded by Chinese users from the Maiyadi App Store more than 350,000 times, these programs had been downloaded only 65,213 times between March 13 and November 6. The Windows version accounts for 97.7% of the downloads, Palo Alto Networks said.

Based on the tests conducted by Palo Alto, it appears that the Windows version of WireLurker doesn’t work as it should.

“During our analysis, we connected an iPhone 5s running iOS 7.1 (jailbroken) and a 3rd gen iPad running iOS 6 (jailbroken) to infected Windows 7 and Windows XP systems,” Palo Alto Networks wrote in a blog post. “When using the iPhone 5s/iOS 7.1, the installer crashed after clicking the button; with the iPad, the interface shows ‘installation is successful’, but we did not find any new icon in the iPad display.  We believe this failure was caused by poor coding quality and incompatibility between the malware and the iOS device, but the malware code does attempt the installation.”

Researchers have pointed out an interesting aspect of the iOS malware. The threat contains binary code for 32-bit ARMv7, 32-bit ARMv7s, and 64-bit ARM64 architectures. This makes WireLurker the first iOS malware that targets the ARM64 architecture.

The Maiyadi App Store on which the initially discovered variants were hosted seems to be linked to the creators of the malware, Palo Alto said. One piece of evidence is the bundle identifier named “com.maiyadi.installer” in the OS X samples. The samples also include copyright information referencing Maiyadi.

The C&C servers user by WireLurker are currently inactive, and Apple has taken steps to ensure that its users are protected, including the revocation of the stolen code signing certificates used by the malware creators to run the malicious iOS apps on non-jailbroken devices.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...