Two days ago, on 5th November this year, Palo Alto Network researchers published an announcement that they have come across a new malware infecting iOS and Mac OS X software applications. The malware seems to be spreading out of a Chinese application store.
WireLurker Spreading out of Chinese Maiyadi Application Store
The malware is called WireLurker and what it seems to do is gathering sensitive data like call logs and phone contacts information from the affected users’ Apple iOS devices. It is known to be spread out of a third-party Chinese software store called Maiyadi that has about 467 Mac OS X and 180 Windows executable applications available. Amongst these are “The Sims 3”, “Pro Evolution Soccer 2014” and “International Snooker 2012”.
“WireLurker was used to trojanize 467 OS X applications on the Maiyadi App Store, a third-party Mac application store in China. In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users.”, the researchers state.
“It seems Maiyadi is widely used by consumers because it offers some applications for free,” Palo Alto Network’s threat intelligence branch director Ryan Olson, said in an interview two days ago.
Three Versions of the WireLurker Malware
He also announced that the Palo Alto researchers have analyzed three versions of the malware, each one an improvement of the previous. It also looks like that they have caught it during its development as it seems the only thing it currently does is just gathering users’ information.
WireLurker’s technique is unusual as it seems to use a Mac desktop application as part of the iOS attack. So if a user downloads desktop application from the Maiyadi store, the malware will be installed all along. What it does next is standing still until somebody connects an iOS device to the Mac via a USB cable.
Then the second version of the malware activates, checking if the device is “jailbroken” – a term used to describe devices with removed Apple restrictions. If this is the case it looks for certain applications (Taobao, Alipay or Meitu (a picture-editing program)) installed on the iOS, copies them on the Mac, infects them with the malware and pastes them back to the iOS.
The third variant is the most precise one. Using a digital certificate which Apple usually issues to enterprise developers, it targets devices that are not “jailbroken”. The certificates are issued to developers working on in-house applications not available on the Apple stores. Downloading such, a message for a third-party application installation will appear on the device but once approved it downloads the malware altogether.
Apple are aware of the issue, Olson confirms. There is no security breach according to them, but they would like to research the malware and how it works and may release an update for its detection in XProtect.
In the meantime iOS users can check their devices with a detector found in the GitHub web-based hosting service.