A pernicious piece of Apple focused malware reared its ugly head this week. It may have infected as many as 356,000 users.
The malware first infects Mac OS X machines, from standard desktop Macs to MacBooks, and then infiltrates all other iDevices, from iPhones to iPads, by installing rogue apps on them when they’re connected by USB. And unlike previous strains of iOS malware, it doesn’t need the device to be jailbroken. Palo Alto Networks, the company that has investigated and given a name to WireLurker, calls it a “new breed of threat to all iOS devices”.A developer at Tencent, initially observed WireLurker at the start of June.
It’s little surprise so many downloaded WireLurker, given it was packaged inside seemingly legitimate apps, including some big name games – Sims 3, Pro Evolution Soccer 2014 and Angry Birds to name a few. They were unofficial, pirated versions of the games, however. And those who did get infected, who were only trying to get knock off copies of those titles, likely had various pieces of data stolen from their Apple devices, including the machine’s ID number and Wi-Fi addresses it used.
Herein lies the intriguing element to this nasty piece of kit. The malware seems to be more concerned about identifying the device owners rather than stealing much data. “In other words, WireLurker seems to be targeting the identities of software pirates,” noted Jonathan Zdziarski, an iOS security expert. On jailbroken iPhones, the malware does seek to acquire more information, including SMS messages.
Could WireLurker be a law enforcement tool? If it is, then it’s another sign that the NSA isn’t phased by Apple’s attempts to keep its users secure and private. Just last month, it was accused of trying to intercept iCloud users passwords, which it subsequently denied.
WireLurker was able to get malicious apps onto iOS devices by abusing “enterprise provisioning”. This allows apps not in Apple’s official stores to be downloaded as long as they are signed by an enterprise certificate, which Apple could revoke (though Zdziarski notes additional certificates could be issued and fresh copies of the malware installed). Users should always fear Apple’s requests for confirmation to open a third-party application, unless certain of its authenticity.
Zdziarski thinks that WireLurker looks primitive, yet shows up a major security hole in Apple’s pairing mechanism between its PCs and mobile devices. “The real issue is that the design of iOS’ pairing mechanism allows for more sophisticated variants of this approach to easily be weaponized,” he added. “While WireLurker appears fairly amateur, an NSA or a GCHQ, or any other sophisticated attacker could easily incorporate a much more effective (and dangerous) attack like this.”