Researchers have discovered a new family of malware that specifically targets Mac and iOS users in China.
Silicon Valley security firm Palo Alto Networks has published a report detailing how a new brand of malicious software called WireLurker is injecting itself into users' Mac OS X every time the user downloads a third-party app from the Chinese app store Maiyadi. Claud Xiao, mobile security researcher at Palo Alto Networks, says the malware has infected a total of 467 apps which have been downloaded more than 350,000 times, affecting potentially "hundreds of thousands of users" and making it "the biggest in scale we have ever seen."
WireLurker does not stay put in a user's Mac, it sits patiently inside OS X and waits until the user connects another Apple device, such as an iPhone or an iPad, via USB so that it can contaminate that other device as well. This is the reason why the researchers who discovered the malware, which has been quietly lurking inside Chinese Mac users' systems for six months, decided to name it WireLurker.
What makes WireLurker an even bigger threat is the fact that it can also contaminate non-jailbroken devices. Typically, iOS users jailbreak their iPhones and iPads so they can do away with the limits placed by Apple and install additional apps, themes and extensions not readily available on Apple's App Store. Non-jailbroken devices, on the other hand, remain closed in by Apple's walled garden, so to speak, and usually remain safe from the risk of malware that come along with installing third-party apps.
"WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken," says Xiao. "It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning."
For now, WireLurker has infected mostly Chinese users, but it is clear that the threat against Apple devices continues to grow and it won't be long before attackers find a way to infiltrate American users' Macs and iOS devices.
Palo Alto Networks says the malware "creator's ultimate goal is not yet clear," but WireLurker is in "active development." So far, the malware has made off with nothing but users' messaging IDs and address book contacts, says Ryan Olson, intelligence director of Palo Alto Networks' Unit 42, the team which discovered WireLurker, but nothing stops attackers from taking users' Apple IDs, spy on their iMessages and automatically download and install updates for itself.
"They are still preparing for an eventual attack," says Olson. "Even though this is the first time this is happening, it demonstrates to a lot of attackers that this is a method that can be used to crack through the hard shell that Apple has built around its iOS devices."
Olson says his company has informed Apple about the threat, but Apple has so far declined to comment.
Mac users are advised to keep their OS X and iOS systems and anti-virus protection up-to-date and to refrain from downloading apps from third-party stores. Users should also avoid connecting their devices with untrusted computers and accepting an enterprise provisioning profile unless it is authorized by a trusted party, such as the user's corporate IT department at work.
Lastly, it is recommended that users do not jailbreak their iPhones or iPads. If they do want to jailbreak their devices, they should use reliable sources such as the Cydia community and refrain from storing sensitive information on jailbroken devices.