Malware family distributed through trojanised and repackaged Apple OS applications
Potential threat to businesses, governments and Apple customers worldwide
PALO Alto Networks has announced the discovery of a new family of Apple OS X and iOS malware exhibiting characteristics unseen in any previously documented threats targeting Apple platforms.
This new family, dubbed WireLurker, marks a new era in malware across Apple’s desktop and mobile platforms, representing a potential threat to businesses, governments and Apple customers worldwide, the company said in a statement.
Among its defining characteristics, WireLurker represents:
The first known malware family that can infect installed iOS applications similar to how a traditional virus would;
The first in-the-wild malware family that can install third-party applications on non-jailbroken iOS devices through enterprise provisioning;
Only the second known malware family that attacks iOS devices through OS X via USB; and
The first malware family to automate generation of malicious iOS applications through binary file replacement
“WireLurker is unlike anything we’ve ever seen in terms of Apple iOS and OS X malware,” said Ryan Olson, intelligence director Palo Alto Networks’ threat intelligence team, Unit 42.
“The techniques in use suggest that bad actors are getting more sophisticated when it comes to exploiting some of the world’s best-known desktop and mobile platforms.
“As such we have provided full protection to Palo Alto Networks customers and published a detailed report so others can assess the risk and take appropriate measures to protect themselves,” he added.
WireLurker malware was discovered by Claud Xiao of Unit 42, and detailed in a report titled WireLurker: A New Era in OS X and iOS Malware.
“WireLurker was used to trojanise 467 OS X applications on the Maiyadi App Store, a third-party Mac application store in China. In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users, Xiao said in his report.
“WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken. This is the reason we call it ‘wire lurker.’
“Researchers have demonstrated similar methods to attack non-jailbroken devices before; however, this malware combines a number of techniques to successfully realise a new breed of threat to all iOS devices.
“WireLurker exhibits complex code structure, multiple component versions, file hiding, code obfuscation and customised encryption to thwart anti-reversing,” Xiao said in his report.
Following its initial observation in the wild in June by a developer at Tencent, Palo Alto Networks researchers have determined WireLurker’s potential impact, assessed the methods available to prevent, detect, contain and remediate the threat, and detailed the protections available for Palo Alto Networks customers.
Palo Alto Networks has released signatures to detect all WireLurker Command & Control communication traffic. It is recommended that customers using OS X or iOS devices deploy a strict policy for blocking WireLurker traffic using the Palo Alto Networks enterprise security platform.
A full list of system recommendations, remediation techniques and best practices is included in the WireLurker report.
Attackers are hiding in plain sight: Palo Alto Networks
Are Apple developers on the hacker hit list?
‘Apple has its head in the sand’
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.