Malware Infects Apple iOS DevicesNon-Jailbroken Devices Targeted by Trojanized Mac Apps
Apple iOS and Mac OS X devices are susceptible to a previously unseen malware family that spreads via a third-party Chinese app store, and which can infect even non-jailbroken iPhones, according to network security firm Palo Alto Networks.
Researchers at the firm, who dubbed the new malware family WireLurker, say the malware has been hidden in "Trojanized" versions of applications that appear to function normally, but which also include malicious capabilities, including the ability to steal iOS users' data.
Since first appearing in April, "WireLurker was used to Trojanize 467 OS X applications on the Maiyadi App Store, a third-party Mac application store in China," Palo Alto Networks information security researcher Claud Xiao says in a blog post. "In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users."
Palo Alto Networks says it notified Apple of the attack campaign a couple of weeks ago, and an Apple spokesman says the company has put related defenses in place. "We are aware of malicious software available from a download site aimed at users in China, and we've blocked the identified apps to prevent them from launching," an Apple spokesman tells Information Security Media Group. "As always, we recommend that users download and install software from trusted sources."
WireLurker first infects an Apple OS X computer, then watches for any USB-connected devices, Palo Alto says. "WireLurker monitors any iOS device connected via USB [to] an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken," Xiao says. "This is the reason we call it 'wire lurker.'"
Once the malware infects an iOS device, it can infect other apps stored on the device, and it regularly "phones home" to attackers' command-and-control server to request updates, Palo Alto Networks says. To date, however, attackers don't appear to have used it for a major campaign.
Malware Targets China
While a number of the malicious techniques built into the malware have been previously demonstrated by researchers, Palo Alto Networks says this marks the first time that they've been gathered together and used for in-the-wild exploits. To date, however, the malware appears to have only been used to target users in China. But when it comes to Trojanized Mac OS X applications, the WireLurker campaign "is the biggest in scale we have ever seen," Xiao says.
"It's China - so anything seen there will be big," Sean Sullivan, security advisor at Finnish anti-virus firm F-Secure, tells Information Security Media Group. When it comes to Mac malware, he adds, "I'd say Flashback was bigger in some ways," referring to the 2012 Flashback malware that exploited a security flaw in Java to install itself on an estimated 600,000 Macs.
But Sullivan agrees with Palo Alto Networks' assessment that this is one of the biggest malware campaigns involving malicious code being piped from a Mac to an attached iOS device. Then there's the question of the attackers' motives. "Flashback was driven by profit and was tied to similar Windows malware," Sullivan says. "WireLurker's motives appear to be something else completely, and will probably cause significantly more concern in the long run."
To date, related attacks appear to be confined to China, Ryan Olson, the director of threat intelligence at Palo Alto Networks, tells Information Security Media Group. "This looks like a Chinese hacker who's behind this, targeting Chinese individuals, and it doesn't look like this attack was meant to spread outside China," he says.
WireLurker remains a work in progress, with Olson saying three distinct versions have emerged from April 30 to October 17 of this year, each with more extensive capabilities. Only the latest version has the ability to download and install iOS applications on both jailbroken and non-jailbroken devices and steal contacts from the address book, as well as copies of SMS messages. But Palo Alto Networks says it's found numerous pieces of half-finished functionality. "For the next stage, you would expect them to take the next, logical step and go and collect more types of information, maybe install something malicious," Olson says. Although with all of the attention being paid to WireLurker, he adds, it's also possible attackers might simply close up shop.
But iPhone and iPad owners who plug their devices into Mac OS X computers are not the only ones at risk from related attacks. Jaime Blasco, director of the vulnerability research team at AlienVault Labs, says he's discovered what appears to a Windows version of WireLurker. Researchers at Palo Alto Networks have confirmed that finding, noting that a WireLurker Windows installer - based on an older variant of the malware - first appeared on March 13, claiming to be an installer for pirated iOS apps. "The Windows variant opens a new vector for iOS users to be infected with WireLurker, but appears to have been less successful than its Mac OS X descendent," the Palo Alto Network researchers say.
Beware Enterprise Provisioning
Android users have long been warned against using third-party app stores, over fears that legitimate-looking applications - and especially "free" versions of paid apps - might have been Trojanized. But F-Secure's Sullivan says the WireLurker campaign goes beyond simply tricking people into downloading Trojanized apps from third-party Apple app stores. "WireLurker uses enterprise provisioning to install software - this is not just a 'third-party' market issue - this is really about people working hard to install apps from sources that they cannot trust. It's a level removed from third-party markets."
Apple's iOS configuration profiles are designed to enable enterprises to deploy iOS software directly to employees, without having to vet and distribute it via the Apple App Store, or else jailbreak the devices. In the hands of an attacker, however, such profiles allow them to install any iOS software of their choosing on a device, provided the iOS device has been set to "trust" the infected Mac, Sullivan says.
When users attempt to run an application that's been Trojanized with WireLurker, it asks the user to install a third-party provisioning profile, which Palo Alto Networks says has been signed by a Chinese company. "If the user chooses to continue, a third-party enterprise provisioning profile will be installed and WireLurker will have successfully compromised that non-jailbroken device," Palo Alto says. "Furthermore, users are typically none the wiser, since the application otherwise operates just like the legitimate version."
Palo Alto Networks warns that such malware eventually could also be adapted to be installed via malicious USB devices, such as third-party chargers.
So far, however, only users who attempt to download and run "free" versions of paid Mac OS X or iOS applications have been affected. As of Oct. 10, the most-downloaded WireLurker-infected apps, Palo Alto Networks says, were The Sims 3, International Snooker 2012, Pro Evolution Soccer 2014, Bejeweled 3 and Angry Birds.
"For now, only people engaging in 'bad' behavior are being targeted. Don't 'pirate' apps and you won't get WireLurker," Sullivan says.
Follows Mac "Rootpipe" Flaw
Palo Alto Networks' Apple malware advisory follows on the heels of Emil Kvarnhammar, a researcher at information security consultancy TrueSec, warning that he's discovered a flaw in Mac OS X "Yosemite," which he's calling "Rootpipe." The bug could be exploited by attackers to subvert Apple's password protections and gain super-user access rights for an account, reports Swedish daily newspaper Aftonbladet.
Kvarnhammar, who's a Swedish "white hat" hacker, hasn't said whether the flaw can be remotely exploited, but says he has tested Mac OS 10.8 and 10.9 and also found the bug there, noting that it may have existed in Apple's software for years. While Kvarnhammar provided a vague overview of the flaws in an October conference presentation, he's withholding releasing full details until January, to give Apple time to release a related fix in place. Security experts say that should any related exploits be launched before then, users would have to click through - and ignore - a number of OS X security prompts.