The WireLurker wake-up call for Apple acolytes

The WireLurker malware once again dispels the notion of Apple devices being malware-proof. While limited in its scope the malware displays some remarkable characteristics.

Everyone’s heard the saying ‘Macs aren’t malware-proof’, right? Oh, you haven’t? Count me not surprised.

It could be due to the fact that that’s not an actual saying, but the more likely reason is that there is a deep-rooted belief among Apple users that Apple products and services are somehow, by default, impervious to viruses, malware, hackers, etc. Allow me to reiterate: They're not.

Need proof? Well, we could look back two years ago to Dexter (not the hit Showtime show). Or let’s rewind to early this year, when researchers learned that Macs were still vulnerable to 2011′s famous ‘Flashback Trojan’? Or how about iDroid, the mobile trojan capable of infecting both Android and iOS devices? Then there was September’s iCloud hack fiasco that started the wave of nude celebrity photos across the world wide web. And then, just yesterday, it came to light that two of Apple’s security tools, Gatekeeper and XProtect may not pick up the recently-discovered iWorm malware.

But just in case all that isn’t enough, enter WireLurker, the newest piece of evidence to back up the ‘Mac-and-iOS-malware-is-real’ school of thought.

Discovered by security researchers from Palo Alto Networks (you can download the report here), WireLurker is a new family of malware that was found in the wild on a popular third-party Chinese app store called Maiyadi, and that allows hackers to infiltrate iOS devices through an infected Mac via a USB connection (only the second known instance of this kind of iOS attack).

But what truly makes it unique is that it’s able to infect iOS apps in a fashion similar to a traditional virus and, even more importantly, it doesn’t require for the iOS device to be jailbroken to do its damage.

According to the report, WireLurker has already ‘trojanised’ 467 OSX apps in the Maiyadi App Store. Those apps have been downloaded 356,104 times.

The (relatively) good news is that this malware attack is pretty limited in scope. We were able to secure a quote from Ryan Olson of Palo Alto Networks, one of Webroot’s technology partners:

“Our lead researcher on this effort, Claud Xiao, first began investigating the malware after seeing reports of strange activity on Mac OS and iOS devices in China. He tracked the attack back to it’s source and took a deep dive into the malware to discover how it works. We don’t expect this WireLurker malware to spread to the United States, but the tactics that it uses are likely to be copied by new attackers who could have new targets in mind.”

An Apple spokesperson offered some more good news:

“We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources.”

The fact that WireLurker is only targeting users in China may be a sign of relief for the West, but, as Olson pointed out, it doesn’t mean a similar attack couldn’t be expanded to wreak havoc outside of China. iOS (unlike OSX) has had a fairly spotless record when it comes to malware up until this point (if you don’t factor in ‘jailbroken’ devices), but WireLurker is the first real virus scare for the OS because it doesn’t require a jailbreak to infect the device, making it an exception to the ‘the Apple App Store is the best protection against viruses’ rule.

So what does all of this mean for Apple device users?

Michael Sweeting, one of our senior threat analysts and who specialises in Apple devices sums it up nicely:

“End users of non-jailbroken iOS devices are typically unable to load third party applications, and are therefore somewhat protected from malware attacks propagated through app installs. OSX.WireLurker however is a new approach to infecting iOS devices with information stealing malware, by infecting third party application installers for OSX, and in turn infecting the iOS device once connected to the Mac via USB. This type of infection should once again remind Mac and iOS users alike that these devices are not immune to attacks, and even bigger more sophisticated attacks may be on the horizon. Users should continue to exercise caution and prudence, and should avoid downloading Mac software from third party app stores. ”

That ‘caution and prudence’ doesn’t only mean updating iOS, avoiding connecting your iPhone or iPad to unknown/untrusted computers, and not jailbreaking your device and sticking to the App Store (all of which are encouraged security tips, by the way). It may also mean safeguarding your Mac with an internet security solution.

Or maybe most importantly, it may mean finally accepting that Apple devices aren’t unhackable machines. But hey, if you already exercise the former precautions, you probably already take Apple security seriously and the last point likely doesn’t apply to you.

This post was first published in the Webroot Threat Blog. Republished with permission.