New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Researchers Discover New 'WireLurker' Malware Affecting Macs and iOS Devices in China [Updated]

lightning_usb_cable_0_5_mResearchers from Palo Alto Networks (via The New York Times) have published a research paper on WireLurker, a malware new family that's been infecting both Mac OS and iOS systems over the course of the past six months. The researchers say that WireLurker, which is targeting users in China, "heralds a new era in malware attacking Apple's desktop and mobile platforms."

The WireLurker malware is the "biggest in scale" in the trojanized malware family, and it is able to attack iOS devices through OS X using USB. It's said to be able to infect iOS applications similar to a traditional virus, and it is the first malware capable of installing third-party applications on non-jailbroken iOS devices "through enterprise provisioning."

Thus far, WireLurker has been used in 467 OS X apps in the Maiyadi App Store, which is a third-party Mac app store in China. The apps have been downloaded 356,104 times, infecting hundreds of thousands of users.

According to the researchers, WireLurker looks for iOS devices connected via USB to an infected Mac, installing malicious third-party applications onto the device even without a jailbreak.
WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken. This is the reason we call it "wire lurker". Researchers have demonstrated similar methods to attack non-jailbroken devices before; however, this malware combines a number of techniques to successfully realize a new brand of threat to all iOS devices.

WireLurker exhibits complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing. In this whitepaper, we explain how WireLurker is delivered, the details of its malware progression, and specifics on its operation.
Once installed, WireLurker can collect information from iOS devices like contacts and iMessages, and it's able to request updates from attackers. It's said to be under "active development" with an unclear "ultimate goal."

Palo Alto Neworks offers several recommendations for avoiding apps infected with WireLurker, including an antivirus product and Mac App Store installation restrictions that prevent apps from unknown third parties from being installed. Users should not download and run Mac apps or games from third-parry app stores, download sites, or other untrusted sources and jailbreaking should be avoided.

Unknown enterprise provisioning profiles must be avoided as well, and users should avoid pairing their iOS devices with unknown computers or charging with chargers from untrusted or unknown sources.

Palo Alto Networks has notified Apple of the malware, but an Apple spokesperson declined to offer a comment.

Update: Apple has issued a statement to iMore about the issue:
"We are aware of malicious software available from a download site aimed at users in China," an Apple spokesperson told iMore, "and we've blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources."

Top Rated Comments

(View all)

26 months ago
This is what everyone who always complain about Apple's vice-grip on openness doesn't understand. If you stick with the Apple pre-approved things you're safe 99.99% of the time. It's only when you open yourself to third party apps that you run the risk of malware. It can't exist without you opening the door to it.
Rating: 59 Votes
26 months ago

Rating: 27 Votes
26 months ago
this is why I love the closed environment Apple creates, if the consumer is smart, they will be unaffected 99percent of the time. Walled garden protect me from all the bad stuff please haha
Rating: 21 Votes
26 months ago
Trojan software exists on ALL systems. This is nothing new.

Anyone can write a program on Windows/Unix/OS X to do ANYTHING. That's really the point of personal computers. There is nothing Apple/Microsoft or anyone can do to stop this outside of using their approved app stores where they can take down a malicious app like this.

This article is just iHater bait to people who don't understand how software works. A virus or worm is a different thing. A trojan - can happen to any operating system at any time. A trojan is basically software that says it does one thing then actually does something else. That's what Apple's App Store helps avoid, apps like this. This proves, again, that the Apple closed app store protects users better.
Rating: 17 Votes
26 months ago
Thanks, Apple for your closed system and malware free environment. People in China want to get cheap apps or free app and this is their result of being cheap.


This is why I have always been a big fan of the walled garden!:cool::apple:
Not one of my Apple products has suffered any virus attacks.:cool::apple:

mine too. My Mac Mini is on 24/7 since bought in Nov attack, virus, malware ever.
Rating: 11 Votes
26 months ago

We gave jobs to them that just a few decades ago china had nothing to offer except fireworks! This is how they repay us in the many cruel ways that they have and the west refuses to wake up to what it's done to themselves! This could all be reversed.

And everyone who moved their business over there did it out of the kindness of their hearts, right?

:rolls eyes:
Rating: 10 Votes
26 months ago

What does jailbreaking have to do with this? Obviously use a known tool but other than that this is an over-reactive comment.

Because jailbreaking's single reason is to intendedly load un-signed code onto your iOS device, basically a much shorter route than the one this hack takes.

It's a simplified way of inviting malicious code onto your phone that basically can achieve the same results.

PS: Not that I'd flat out tell everyone not to jailbreak because of this.
If someone asked me to do it for them and they were determined to get it done, I'll help them for sure.

Glassed Silver:mac
Rating: 9 Votes
26 months ago
Wait, so the iOS-portion of the malware depends on the user accepting unknown Enterprise provisioning profiles? At that point, aren't you just asking for trouble?
Rating: 9 Votes
26 months ago
Sponsored by the Chinese government :cool:
Rating: 9 Votes
26 months ago

What does jailbreaking have to do with this? Obviously use a known tool but other than that this is an over-reactive comment.

Jailbreaking disables a lot of the security measures that apple has in place to prevent apps from outside the AppStore being installed. Obviously in this particular case it doesn't change the end result, but in many other cases it does.

I personally don't jailbreak my devices because I don't know where the apps on the Cydia store come from, who coded them, or what they might do in the background without my knowledge - as all of the "this app is trying to access _____ data" messages are disabled when you jailbreak, or more, the apps don't have to follow those rules so why would they?
Rating: 8 Votes

[ Read All Comments ]