Wirelurker – Malware attacking iPhones and iPads

iOS devices targeted through the Apple computers they connect to

Researchers from Palo Alto Networks recently released a study where they found a new piece of malware targeting Apple Mac computers and iOS devices.  Dubbed “Wirelurker”, this piece of malware is not terribly sophisticated, but does operate differently than previous malware.  So is this a serious threat, or the malware du jour?

Early signs are that this particular malware attack is not likely to infect your Apple Mac or iOS device, but the attack method it is using is pretty new, and definitely worth looking into.

Wirelurker targets iOS devices through the Apple computers they connect to.  Basically, the trojan is bundled into pirated versions of software (in this case, mostly in China).  When the pirated software is installed on a Mac, it sits and waits for an iPhone or iPad to be connected.

When an iOS device does connect to the infected computer, the Wirelurker software captures the device serial number, the phone number, the iTunes identifier (the email address you sign into the Apple App Store with), and other identifying information.  This information is only available when you’ve enabled the “Trust This Computer” option, which you have to in order to sync with iTunes.  The captured information is uploaded to various Command and Control (C&C) servers on the Internet.

The Wirelurker software also attempts to install malicious versions of normal looking applications on your iOS device.  If your phone is jailbroken, then the attack is much worse, as many of the protection features in a jailbroken device are either disabled or easily over-riden.  If you have a standard iOS device, the Wirelurker software will attempt to use the Enterprise Provisioning feature of iOS to install applications.

So far it appears that this information is being used to identify people installing pirated software.  Odds are that if you haven’t downloaded and installed any pirated Chinese software for your Mac, you’re OK.  The security researchers who examined this malware have noted that while not terribly complex, the attack vector is likely to be copied by more skilled attackers.

So what can you do to protect yourself?

Unless you are absolutely certain, never use the "Anywhere" option.
Unless you are absolutely certain, never use the “Anywhere” option.

First, be very careful when downloading and installing ANYTHING from the Internet.  If you are using a Mac, check to see if the application you are looking for is published in the App Store first, as Apple manages and tests applications that are available there.  That is not to say that it is impossible for malware to be in the Apple App store, but odds are better that it will be discovered and removed.   Mac OS X doesn’t allow installation of software without a valid code signing certificate, and disabling that check with significantly reduce the security of your system.   By the way, this attack could work just as easily with a Windows machine, and will no doubt begin cropping up there as well in the future.

Palo Alto Networks has developed a Wirelurker Checker for Apple Mac systems, to quickly check for the presence of Wirelurker on your system.  That software can be found here: https://github.com/PaloAltoNetworks-BD/WireLurkerDetector

Those awesome themes should make up for having a phone that is easily compromised....
Those awesome themes should make up for having a phone that is easily compromised….

Don’t jailbreak your iOS device.  While it does provide an awesome array of apps and functionality not present in the stock version of iOS, your security is greatly compromised.  Virtually every strain of malware impacting iOS devices that we know of requires the device to be jailbroken in order for the attack to succeed.

Using these kinds of public USB charging stations is a very bad idea.
Using these kinds of public USB charging stations is a very bad idea.

Be extremely careful when connecting your phone to a USB port you don’t own.  It has become very common for airports and other public places to install USB ports for recharging of phones and tablets.  I can not recommend more strongly that you never use one of those ports.  The simple fact is you do not know what is sitting on the other side of that connection.  Bring your AC adaptor and plug into a good old-fashioned electrical outlet.

Here’s a link to the original Palo Alto release on Wirelurker: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

A great write-up by Jonathan Zdziarski, a malware researcher with lots of excellent iOS malware experience: http://www.zdziarski.com/blog/?p=4140

Thanks for reading, and stay safe out there!

Leave a Reply