WireLurker attacks against iOS devices also launched from Windows PCs

Researchers find Windows applications designed to infect iOS devices with an older WireLurker malware variant

Attackers have used rogue applications for both OS X and Windows to infect iPhones and iPads in China with a malware program that steals contact information and other private data.

Researchers from Palo Alto Networks recently reported that the malware, dubbed WireLurker, was being installed on both jailbroken and non-jailbroken iOS devices when those devices were connected to Mac OS X systems that were running trojanized applications.

The researchers initially found that 467 OS X applications on a Chinese third-party Mac application store called Maiyadi had been modified and repackaged to push WireLurker onto iOS devices. Since then, they have also found 180 Windows applications designed to infect iOS devices connected to Windows PCs with an older variant of WireLurker.

The WireLurker-carrying Windows programs were hosted, together with 67 similar OS X apps, under an account on a cloud storage service run by Chinese Internet company Baidu. The applications were uploaded in March and were advertised as installers for popular iOS apps such as Facebook, WhatsApp, Twitter, Instagram, Minecraft, Flappy Bird and others.

"Between March 13 and today these programs have been downloaded 65,213 times, with 97.7 percent of the downloads being the Windows version," the Palo Alto Networks researchers said in a blog post Thursday.

Each of the Windows executable files had two IPA (iOS application archive) files bundled inside. One was the pirated version of the legitimate iOS app promised to users and the other was the WireLurker malware, the researchers said.

It seems that this older attack was not as successful as the latest one and only targeted jailbroken iOS devices. When executed, the Windows or OS X applications displayed a graphical interface that asked users to install iTunes and then connect their iOS devices to the computer. Users then had to click the install button when ready.

The Palo Alto Networks researchers ran tests with an iPhone 5s running iOS 7.1 and a 3rd-generation iPad running iOS 6 -- both jailbroken -- and found that the installer apps crashed or reported successful installations when no apps were installed on the iOS devices.

"We believe this failure was caused by poor coding quality and incompatibility between the malware and the iOS device, but the malware code does attempt the installation," the researchers said.

One interesting aspect of the attack is that the older WireLurker variant had binary code for three different architectures: 32-bit ARMv7, 32-bit ARMv7s and 64-bit ARM64.

"As far as we know, this is the first iOS malware that attacks the ARM64 architecture," the Palo Alto Networks researchers said.

Regardless of how successful this older attack was, it serves as a reminder that WireLurker-style infections can originate from any computer that iOS devices connect to, not just Macs. This is something that security researchers have warned about before.

Since the original report earlier this week, Apple said that it has taken action to block the malicious apps from launching.

Join the CSO newsletter!

Error: Please check your email address.

Tags palo alto networksApplesecuritymobile securityspywaremalware

More about AppleFacebookMacsPalo Alto Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place