Apple mobile devices in China targeted by WireLurker malware

Thousands of users may be infected with malware that collects data from an iOS device, Palo Alto Networks said

Researchers at Palo Alto Networks said they've discovered an impressive malware attack against Apple devices, which for now appears to be limited to users of a Chinese application store.

The campaign revolves around infecting Mac OS X applications with "WireLurker," which collects call logs, phone book contacts and other sensitive information on Apple mobile devices.

Some 467 Mac OS X applications offered on a Chinese third-party application store called Maiyadi were found to have been seeded with WireLurker, including "The Sims 3," "International Snooker 2012" and "Pro Evolution Soccer 2014," according to Palo Alto's research paper.

Over the last six months, those applications and others have been downloaded 356,104 times "and may have impacted hundreds of thousands of users," the paper said.

Apple advises that users stick to downloading applications from its App Store, which it closely vets, and stay away from third-party stores for security reasons.

It would appear some people turn to the Maiyadi store because it offers applications for free, said Ryan Olson, intelligence director for Palo Alto Network's Unit 42, the company's threat intelligence branch.

Palo Alto analyzed three versions of WireLurker, each of which were improvements on the previous one, Olson said in a phone interview Wednesday. But it doesn't appear the WireLurker attack progressed beyond collecting data from mobile devices.

"We think we sort of caught someone developing the attack, and they haven't gotten to the point of launching the full attack," Olson said. "From our perspective, it still looks like an information gathering operation."

The WireLurker attack is notable for how it leverages desktop Mac applications as part of the attack on iOS. If someone downloaded a Mac OS X desktop application from Maiyadi, WireLurker came along with it.

WireLurker then waits for when an iOS device is connected by a USB cable. A second version of WireLurker checks if the Apple device was "jailbroken," the term for removing restrictions that Apple uses to prevent users from running applications it has not approved.

Then it would look to see if applications such as Taobao, Alipay or Meitu, a photo editing application, were installed, Olson said. If so, it would copy the application to the desktop Mac, infect it with WireLurker and copy it back to the device.

The third iteration of WireLurker targets iOS devices that are not jailbroken as well. In that version, WireLurker used a digital certificate that Apple issues to enterprise developers so they can run their own applications in-house that do not appear on the App Store.

Using the digital certificate means iOS would allow a third-party application to be installed, although it would display a warning to users, Olson said. If a user approves the installation, WireLurker could be installed along with a legitimate application.

Olson said Palo Alto Networks has been in contact with Apple in the last few days, which is now aware of WireLurker.

"There's no vulnerability here for them to patch, but they certainly want to be aware of malware and how it works," Olson said.

Apple could first revoke the enterprise digital certificate that WireLurker's creators are using, Olson said. The company could also issue an update to detect WireLurker in XProtect, Apple's antivirus engine, he said.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags AppletelecommunicationapplicationsiossecurityMobile OSesmobilemalwarepalo alto networks

More about ApplePalo Alto Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place