Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:45 PM
Connect Directly

WireLurker: A New Age In Mac OSX, iOS Malware

WireLurker authors are likely independent individuals based in China who are Mac development experts and cybercrime amateurs.

Individuals just beginning to dabble in cybercrime are ushering in a new age of iOS and Mac OSX malware, according to research released Wednesday by Palo Alto Networks. The new malware, dubbed WireLurker, has been in active development for months, has infected probably hundreds of thousands of OSX and iOS devices, but has not yet done any real damage.

The WireLurker attackers "probably aren't people who do this often," says Ryan Olson, intelligence director of Palo Alto Networks' Unit 42. They are "clearly very skilled MacOS or iOS developers," but they definitely are not very experienced in writing malware.

The WireLurker attackers seem to have been fiddling with the malware without a coherent plan of attack in place. The only data they ever extracted was information to help distribute the malware -- device IDs and contact lists, not SMS message content or other sensitive data. They didn't employ some basic cybercrime best practices -- like obfuscation and encrypting command-and-control traffic -- until version 3.

Nevertheless, they created a threat unlike anything Mac users have had to contend with before.

The attackers Trojanized 467 OSX apps on the Maiyadi App Store, a third-party Mac app store in China that's particularly good at stocking pirated software. Palo Alto estimates that "almost all" of the Mac apps uploaded to Maiyadi between April 30 and June 11 were infected with WireLurker. Olson says Maiyadi was abused but not compromised; the attackers themselves most likely infected the applications and uploaded them themselves, instead of somehow infecting apps that had been uploaded by others. All told, those Trojanized apps were downloaded more than 356,000 times.

Though WireLurker does infect OSX laptop and desktop machines, the ultimate target seems to be iOS devices. When the two are connected through USB, the OSX machine will look for certain apps on the iOS device and pull them on to the OSX machine, which replaces certain components of that app with malware and pushes it back to the iOS device. This is only the second malware that attacks iOS through OSX via USB, and it is the first to automate generation of malicious iOS apps through this binary file replacement tactic.

One of the newer versions of WireLurker infects iOS in a way that is "weird by any account," says Olson. Apple has an enterprise provisioning system that businesses can use to develop proprietary applications and distribute them through their company machines without having to go through the App Store. The third version of WireLurker was able to "infect" non-jailbroken iOS devices with an app that was signed with an Apple enterprise provisioning certificate -- but it wasn't malware. It was a legitimate app from a comic book company.

"So this was probably a test," says Olson, and the next step would be to deploy a malicious or infected certified application. In the meantime, Apple has revoked the cert, but WireLurker has proven that non-jailbroken iPhones can be infected in this manner.

The importance of WireLurker is not WireLurker specifically but that "the use of all these techniques... is really new and different for Mac," Olson says. Nevertheless, "I don't think this is going to be a huge widespread problem." Apple is still largely protected by the tight control it has over its app stores, "but they're not immune."

As for who created WireLurker, Palo Alto's best guess is that this is one individual or a small group of individuals operating within China, independently of any nation-state. They could be a startup malware house, so to speak, in the new financially motivated, politically independent cybercrime underground growing behind the Great Wall. Trend Micro outlined the nature of this burgeoning industry in a September report.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
11/10/2014 | 3:20:41 AM
Any OS is Vulnerable
Illustrated here is that any OS is vulnerable.  For a long time there was this odd chant about GNU Linux being not hackable.  We all knew that was not entirely the case, but played along.  The truth is, as this article demonstrated, there is a way to explot any system to get that first fooot in the door.  We need to stop seeing software as hackable/not hackable.  Everything can be hacked, some easier than other, but anyone can be a victim.  Unless you're running OpenVMS, of course.  Don't even try anything with a solid OpenVMS box :-)    
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-12
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
PUBLISHED: 2019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP ...
PUBLISHED: 2019-12-12
An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.
PUBLISHED: 2019-12-12
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrat...
PUBLISHED: 2019-12-12
The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS.