Researchers Discover New 'WireLurker' Malware Affecting Macs and iOS Devices in China [Updated]

Researchers from Palo Alto Networks (via The New York Times) have published a research paper on WireLurker, a malware new family that's been infecting both Mac OS and iOS systems over the course of the past six months. The researchers say that WireLurker, which is targeting users in China, "heralds a new era in malware attacking Apple's desktop and mobile platforms."

The WireLurker malware is the "biggest in scale" in the trojanized malware family, and it is able to attack iOS devices through OS X using USB. It's said to be able to infect iOS applications similar to a traditional virus, and it is the first malware capable of installing third-party applications on non-jailbroken iOS devices "through enterprise provisioning."

Thus far, WireLurker has been used in 467 OS X apps in the Maiyadi App Store, which is a third-party Mac app store in China. The apps have been downloaded 356,104 times, infecting hundreds of thousands of users.

According to the researchers, WireLurker looks for iOS devices connected via USB to an infected Mac, installing malicious third-party applications onto the device even without a jailbreak.

WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken. This is the reason we call it "wire lurker". Researchers have demonstrated similar methods to attack non-jailbroken devices before; however, this malware combines a number of techniques to successfully realize a new brand of threat to all iOS devices.

WireLurker exhibits complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing. In this whitepaper, we explain how WireLurker is delivered, the details of its malware progression, and specifics on its operation.

Once installed, WireLurker can collect information from iOS devices like contacts and iMessages, and it's able to request updates from attackers. It's said to be under "active development" with an unclear "ultimate goal."

Palo Alto Neworks offers several recommendations for avoiding apps infected with WireLurker, including an antivirus product and Mac App Store installation restrictions that prevent apps from unknown third parties from being installed. Users should not download and run Mac apps or games from third-parry app stores, download sites, or other untrusted sources and jailbreaking should be avoided.

Unknown enterprise provisioning profiles must be avoided as well, and users should avoid pairing their iOS devices with unknown computers or charging with chargers from untrusted or unknown sources.

Palo Alto Networks has notified Apple of the malware, but an Apple spokesperson declined to offer a comment.

Update: Apple has issued a statement to iMore about the issue:

"We are aware of malicious software available from a download site aimed at users in China," an Apple spokesperson told iMore, "and we've blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources."