Non-jailbroken devices infected via enterprise provisioning program.
Researchers at
Palo Alto Networks
have published a research paper (
PDF
) analysing the ‘WireLurker’ malware that runs on
Mac OS X
, and which is then used to further infect
iOS
devices connected to an infected machine.
WireLurker is found to have infected 467 apps on the
Maiyadi App Store
, a third-party store based in China. Infected apps have been downloaded more than 350,000 times.
Malware targeting
OS X
has become increasingly common, no doubt helped by the various ways in which malware can maintain persistence, as described in Patrick Wardle’s
VB2014 paper
that we published last week. In the case of WireLurker, it uses launch daemons to install persistently on an infected system.
However,
OS X
isn’t the malware’s only target. As its name suggests, WireLurker waits for
iOS
devices to be connected to an infected system. It then sends information about the connected device to a command and control server. It also tries to install trojanised versions of common apps onto the device.
Interestingly, it even tries to do so when the device isn’t jailbroken, by making use of the
iOS
Developer Enterprise Program. Another VB2014 paper, by
FireEye
researcher Tao Wei and his colleagues, explained how this program could be used by malware authors to bypass
Apple
‘s review process. (A blog post previewing this paper can be found
here
; we plan to publish the paper here soon.)
WireLurker seems mostly concerned with collecting information from both
iOS
and
OS X
systems, but the researchers are unsure about its ultimate goal. However, security expert Jonathan Zdziarski may have a point when he
writes
‘WireLurker may be trying to uncover the identities of Chinese software pirates’.
I also agree with Zdziarski’s opinion that WireLurker is notable mainly because it uses a number of techniques not previously seen in the wild, not because it is particularly advanced. A more sophisticated attacker could easily use these same techniques in a far more effective and dangerous way.
Posted on 06 November 2014 by
Martijn Grooten
Leave a Reply