WireLurker Virus Affects Chinese iPhone & Mac OSX Users; Also New Masque Vulnerability
Malware has bypassed Apple’s safety controls by taking advantage of a process used by employers to add apps to workers’ iPhones, iPads, and iPods.
Palo Alto Networks said that the WireLurker malware appeared to have originated in China and was mostly infecting devices there. The malware first targets Mac computers via a third-party store before copying itself to iOS devices. Researchers warn it steals information and can install other damaging apps.
“WireLurker is unlike anything we’ve ever seen in terms of Apple iOS and OS X malware,” said Ryan Olson, Palo Alto Network’s intelligence director.
“The techniques in use suggest that bad actors are getting more sophisticated when it comes to exploiting some of the world’s best-known desktop and mobile platforms.”
WireLurker has the ability to transfer from Apple’s Mac computer to mobile devices through a USB cable.
Mac and iPhone The malware initially gets onto an iOS device via a USB cable connected to an infected Mac computer. The security firm said the malware was capable of stealing “a variety of information” from mobile devices it infects and regularly requested updates from the attackers’ Command and Control, or CnC, server.
“This malware is under active development and its creator’s ultimate goal is not yet clear,” the company added.
Apple has issued a brief statement.
“We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources.”
According to Palo Alto Networks, WireLurker was first noticed in June when a developer at the Chinese firm Tencent realised that there were suspicious files and processes on his Mac and iPhone.
Further inquiries revealed a total of 467 Mac programs listed on the Maiyadi App Store had been compromised to include the malware, which in turn had been downloaded 356,104 times as of October 16th.
Infected software included popular games including Angry Birds, The Sims 3, Pro Evolution Soccer 2014 and Battlefield: Bad Company 2. Once the malware was installed on the Mac by installing one of these programs, it communicated with a command-and-control server to check if it needed to update its code, and then waited until an iPhone, iPad or iPod was connected.
When an iOS device was connected the malware would check if it was jailbroken – a process used by some to remove some of Apple’s restrictions.
If it was jailbroken, WireLurker backed up the device’s apps to the Mac, where it repackaged them with malware, and then installed the infected versions back on to the iOS machine.
If it was not jailbroken – which is the case for most iOS devices – WireLurker took advantage of a technique created by Apple to allow businesses to install special software on their staff’s handsets and tablets. Wirelurker hides its code inside software that is initially downloaded to a Mac computer. This involved placing infected apps on the device that had been signed with a bogus “enterprise certificate” – code added to a product that is supposed to prove it comes from a trustworthy source.
To ensure the devices accepted this certificate, a permissions request was made to pop up on the targeted iOS device on the user’s first attempt to run an infected app.
It simply asked for permission to run the app, but if the user clicked “continue” it installed code called a “provisioning profile”, which told the iOS device it could trust any other app that had the same enterprise certificate.
Palo Alto Networks remarked that while this technique was not a new concept, it was the only known example of it being used to target non-jailbroken iOS devices in the wild.
Once active, the malware is used to upload information about the machine to the hackers, including phone numbers from its Contacts app, and the user’s Apple ID.
Different versions of WireLurker also automatically installed new apps on the devices – including a video game and a comic book reader.
Apple hack The hackers fooled users into approving a bogus enterprise certificate
While these were innocuous, experts warn they could represent a test run for other more damaging software.
“People have got very used to iOS being secure and there is a danger they may be complacent about the risk this presents,” said Prof Alan Woodward, from the University of Surrey.
“Now Apple knows what it’s looking for, it should be able to shut it down relatively easily. But it shows that people are trying to attack Apple’s operating system and the firm can’t take security for granted.”
Chinese web monitoring group Greatfire.org said that hackers intercepted data and potentially gained access to passwords, messages, photos and contacts. They believed the Beijing government was behind the move.
China is home to the world’s biggest smartphone market and Apple saw its iPhone sales there jump 50% in the April to June quarter from a year earlier.
New Masque Vulnerability
A similar vulnerability has been recently documented by FireEye Security, known as the Masque vulnerability.
To be vulnerable to this method of attack, the end-user must have installed an enterprise provisioning profile on their device. An enterprise provisioning profile is used by companies that code their own in-house apps that are not deployed onto the Apple appstore, so they are allowed to bypass the normal digital certificate checks that all appstore apps are required to have. If you’re on iOS 7 or earlier, you can check if you have one installed by going to Settings > General > Profiles , but iOS 8 users are out of luck, as they don’t currently show up on their devices just yet.
Unlike the WireLurker vulnerability, the Masque Attack happens completely over the wireless network, without relying on a connection to a computer running iTunes.
If you do have a provisioning profile on your device, or you’re on iOS 8, follow the steps below for keeping your iOS devices safe:
- Do not download Mac apps from third-party stores. Only install from Apple’s official App Store or from your own organisation.
- Do not jailbreak iOS devices
- Do not connect their iOS devices to untrusted computers and accessories, either to copy information or charge the machines
- Do not accept requests for a new “enterprise provisioning profile” unless it comes from an authorised party, for example the employer’s IT department
- When opening an app, if iOS shows an alert that says “Untrusted App Developer”, click on “Don’t Trust” and uninstall the app immediately.
- Don’t click “install” on a pop-up from a non-Apple web page, no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker.
To backup your iPhone or other iDevice, please read our review of CopyTrans Shelbee