800 Million Apple Devices at Risk, No Jailbreak Necessary

Written by

A piece of Apple-focused espionage malware dubbed WireLurker has been uncovered that, unlike most iPhone bugs, can compromise even non-jailbroken iOS smartphones and tablets—potentially putting 800 million devices at risk.

Apple operating systems, once seen as a more secure alternative to Windows and Android, have been faced with increasing numbers of attack vectors of late. WireLurker is a multi-pronged threat: it attacks and infects OS X-based Macs via compromised applications, and from there can infect any iPhone that’s connected via USB to the computer—regardless of jailbreak status.

Researchers at the Palo Alto Networks uncovered the bug, which has affected hundreds of thousands of users in Asia already. The firm found there to be 467 trojanized, malware-laden OS X applications in the unofficial Maiyadi App Store in China, which have been downloaded more than 356,000 times in the past six months.

It may be centered in China  for now, but it’s very likely that it will spread to other markets: As infected devices regularly request updates from the attackers' command and control server, new features or applications could be installed at any time.

“This malware is under active development and its creator’s ultimate goal is not yet clear,” the researchers wrote in a 30-page report. “The ultimate goal of the WireLurker attacks is not completely clear. The functionality and infrastructure allows the attacker to collect significant amounts of information from a large number of Chinese iOS and Mac OS systems, but none of the information points to a specific motive. We believe WireLurker has not yet revealed its full functionality.”

For now, WireLurker exhibits complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing. Palo Alto added, “WireLurker is capable of stealing a variety of information from the mobile devices it infects and regularly requests updates from the attackers command and control server.”

WireLurker is also notable in a few ways: Of known malware families distributed through trojanized and repackaged OS X applications, this is the biggest in scale to date, the firm said. It’s also only the second known malware family that attacks iOS devices through OS X via USB, and the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning.

It also automates the generation of malicious iOS applications, through binary file replacement. WireLurker thus monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken.

“Researchers have demonstrated similar methods to attack non-jailbroken devices before; however, this malware combines a number of techniques to successfully realize a new breed of threat to all iOS devices,” Palo Alto warned.

If WireLurker is found on any OS X computer, Palo Alto recommends the deletion of respective files and removal of applications reported by the script, and inspection of all iOS devices that have connected with that computer. 

What’s hot on Infosecurity Magazine?