Research has helped discover a new family of malware that has been infecting both the Mac OS X and iOS apps similar to a traditional virus. A paper has been published by researchers from Palo Alto Networks on “WireLurker,” which is the malware’s dubbed name. As of right now, WireLurker appears to be targeting users in China and currently “heralds a new era in malware attacking Apple’s desktop and mobile platforms.” The WireLurker malware is currently the “biggest in scale” in the trojanized malware family and it does this by attacking iOS devices through OS X using USB.

WireLurker has been used in 467 OS X apps found in the Maiyadi App Store, which is a third-party Mac app store in China. According to previous numbers, the app has been downloaded roughly 357,000 times which has caused hundreds of thousands of users to get infected. According to the researchers, WireLurker looks for an iOS device connected vi USB to an infected Mac, then installs malicious third-party apps onto the device (without even the device needing to be jailbroken). The following insight was provided regarding the matter:

WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken. This is the reason we call it "wire lurker". Researchers have demonstrated similar methods to attack non-jailbroken devices before; however, this malware combines a number of techniques to successfully realize a new brand of threat to all iOS devices.

WireLurker exhibits complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing. In this whitepaper, we explain how WireLurker is delivered, the details of its malware progression, and specifics on its operation.
Once the malicious third-party apps are installed, the malware can collect information from iOS devices (including contacts and iMessages) and can even request updates from attackers. The research discovered that the updates appear to be under “active development” and don’t have any clear goal.

The researchers from Palo Alto Networks offer a few recommendations to help avoid apps infected with WireLurker. Their recommendations include an antivirus product and Mac App Store installation restrictions that prevent apps from unknown third parties from being installed. As per the usual, downloading Mac apps from untrusted sites or sources should be a given. Unknown enterprise provisioning profiles should be avoided and users should also avoid pairing their iOS devices with unknown computers or charging with chargers from untrusted or unknown sources. The researchers even went as far as saying that jailbreaking should be avoided as a result of the malware.

Palo Alto Networks apparently reached out to Apple regarding the matter but the Cupertino California company didn’t respond or make any comments regarding the matter.

How do you feel about the whole situation?

Source: Palo Alto Networks (Research Center) via The New York Times - Special thanks to MMi user phoenixfire425 for sending this in!