Security researchers at Palo Alto Networks have discovered a new strain of malware that appears to target mainly Chinese users.
Dubbed “WireLurker,” it targets Apple desktop and mobile devices and has so far infected 467 applications designed for the Mac OS X operating system.
The malware attack, described as “the biggest in scale we have ever seen,” spreads via a Chinese third party Mac application store known as the Maiyadi App Store (a further reminder perhaps that third party app stores are best avoided?) and, thus far, infected apps have been downloaded over 356,000 times.
WireLurker sends the stolen information to comeinbaby․com. Registered to "firstname.lastname@example.org". pic.twitter.com/eNBGRBAlbt
— Mikko Hypponen (@mikko) November 6, 2014
But the malware does not only affect Macs. It also appears to infect iOS devices plugged into a Mac via USB cable:
“WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken.”
Forensic researcher, reverse engineer and hacker Jonathan Zdziarski has analysed WireLurker in detail and drawn some very interesting conclusions, saying:
“It sits and waits for an iOS device to be connected to the desktop, and then abuses the trusted pairing relationship your desktop has with it to read its serial number, phone number, iTunes store identifier, and other identifying information, which it then sends to a remote server.”
He also warns that jailbroken devices with afc2 enabled are at risk from a further piece of malware that can read and extract personal information from iMessage, address books and other files on a device.
What's more interesting is what WireLurker doesn't do. For malware with root on the desktop, all it ever tries to do is identify pirates.
— Jonathan Zdziarski (@JZdziarski) November 6, 2014
Most significantly perhaps he says that WireLurker appears to be targeting Chinese software pirates –
“WireLurker appears to be most concerned with identifying the device owners, rather than stealing a significant amount of content or performing destructive actions on the device. In other words, WireLurker seems to be targeting the identities of Chinese software pirates.”
– which begs the question: who designed this piece of malware in the first place?
Zdziarski concludes that the malware was maybe not written by a pro hacker, based on the fact that it is “mostly a collection of scripts, property lists, and binaries all duct-taped together on the desktop, making it easy to detect,” but he does warn that future iterations could be weaponised.
In the meantime, Palo Alto Networks says that the malware remains under active development and its end goal remains unclear. With that in mind, researcher Claud Xiao recommends the following strategy to mitigate the risk posed by WireLurker:
For more information, you can download Palo Alto Networks research “WireLurker: A New Era in OS X and iOS Malware” here.