WireLurker: A New Age In Mac OSX, iOS Malware

WireLurker authors are likely independent individuals based in China who are Mac development experts and cybercrime amateurs.

Sara Peters, Senior Editor

November 6, 2014

3 Min Read
Dark Reading logo in a gray background | Dark Reading

Individuals just beginning to dabble in cybercrime are ushering in a new age of iOS and Mac OSX malware, according to research released Wednesday by Palo Alto Networks. The new malware, dubbed WireLurker, has been in active development for months, has infected probably hundreds of thousands of OSX and iOS devices, but has not yet done any real damage.

The WireLurker attackers "probably aren't people who do this often," says Ryan Olson, intelligence director of Palo Alto Networks' Unit 42. They are "clearly very skilled MacOS or iOS developers," but they definitely are not very experienced in writing malware.

The WireLurker attackers seem to have been fiddling with the malware without a coherent plan of attack in place. The only data they ever extracted was information to help distribute the malware -- device IDs and contact lists, not SMS message content or other sensitive data. They didn't employ some basic cybercrime best practices -- like obfuscation and encrypting command-and-control traffic -- until version 3.

Nevertheless, they created a threat unlike anything Mac users have had to contend with before.

The attackers Trojanized 467 OSX apps on the Maiyadi App Store, a third-party Mac app store in China that's particularly good at stocking pirated software. Palo Alto estimates that "almost all" of the Mac apps uploaded to Maiyadi between April 30 and June 11 were infected with WireLurker. Olson says Maiyadi was abused but not compromised; the attackers themselves most likely infected the applications and uploaded them themselves, instead of somehow infecting apps that had been uploaded by others. All told, those Trojanized apps were downloaded more than 356,000 times.

Though WireLurker does infect OSX laptop and desktop machines, the ultimate target seems to be iOS devices. When the two are connected through USB, the OSX machine will look for certain apps on the iOS device and pull them on to the OSX machine, which replaces certain components of that app with malware and pushes it back to the iOS device. This is only the second malware that attacks iOS through OSX via USB, and it is the first to automate generation of malicious iOS apps through this binary file replacement tactic.

One of the newer versions of WireLurker infects iOS in a way that is "weird by any account," says Olson. Apple has an enterprise provisioning system that businesses can use to develop proprietary applications and distribute them through their company machines without having to go through the App Store. The third version of WireLurker was able to "infect" non-jailbroken iOS devices with an app that was signed with an Apple enterprise provisioning certificate -- but it wasn't malware. It was a legitimate app from a comic book company.

"So this was probably a test," says Olson, and the next step would be to deploy a malicious or infected certified application. In the meantime, Apple has revoked the cert, but WireLurker has proven that non-jailbroken iPhones can be infected in this manner.

The importance of WireLurker is not WireLurker specifically but that "the use of all these techniques... is really new and different for Mac," Olson says. Nevertheless, "I don't think this is going to be a huge widespread problem." Apple is still largely protected by the tight control it has over its app stores, "but they're not immune."

As for who created WireLurker, Palo Alto's best guess is that this is one individual or a small group of individuals operating within China, independently of any nation-state. They could be a startup malware house, so to speak, in the new financially motivated, politically independent cybercrime underground growing behind the Great Wall. Trend Micro outlined the nature of this burgeoning industry in a September report.

About the Author

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights