'Older' WireLurker previously tried, failed to leap from Windows to iThings

Mal-volution: How new version wormed its way into Apple

apple mac malware vxer

An older version of WireLurker, the newly discovered malware capable of spreading onto Apple iOS devices from infected Mac OS X systems, once targeted Microsoft Windows, it has emerged.

WireLurker is the first malware capable of attacking non-jailbroken iPhones and iPads, smashing the conventional wisdom that such devices are virtually immune from malware threats.

Palo Alto Networks, which first warned about WireLurker, said the malware was seen in the wild infecting iPhone and fondleslab users in China.

Jaime Blasco, a researcher at security dashboard vendor AlienVault Labs, has since discovered a Windows executable file that contains WireLurker’s command-and-control server address. The sample was passed onto Palo Alto, where subsequent analysis confirmed it as an older version of WireLurker.

The Windows version of WireLurker was also distributed in China, posing as installer for pirated iOS apps. Like the Mac OS X variant, the Windows version tries to infect jailbroken iOS devices with the WireLurker iOS malware. The two main differences are, firstly, that the initial point of infection is an infected Windows PC and secondly, that the earlier Windows version was far less successful, as a blog post by Palo Alto explains.

This variant is being distributed by a different Chinese source that is hosting 180 Windows executables and 67 Mac OS X applications, each of which contains a version of the WireLurker Trojan. The Windows variant opens a new vector for iOS users to be infected with WireLurker, but appears to have been less successful than its Mac OS X descendent.

Samples of this older variant display a user interface and are advertised as an installer for specific pirated iOS apps. Between March 13 and today, these programs have been downloaded 65,213 times, with 97.7 per cent of the downloads being the Windows version. Like the latest WireLurker, this variant tries to infect jail-broken iOS devices with the WireLurker iOS malware.

Palo Alto reckons the creator of WireLurker may have a direct relationship with the Maiyadi App Store, although this remains unconfirmed. In any case, security vendors will doubtless be in the process of adding detection for the Windows version of WireLurker.

The WireLurker iOS malware (PDF) exploited the trust between an iOS device and either the Mac OS X or Windows PC with which it synced. The fact that the Mac OS X version of the scam was more successful is probably more to do with how the scam was packed and promoted rather than anything to do with the comparative security of Mac OS X and Windows PCs.

Apple tells the Reg: We pulled the security certificate

The Mac OS version of the malware has been contained, so the initial panic is over. Apple told The Reg that it had disavowed that cryptographic certificate used by the malware, so that booby-trapped apps will no longer load. Meanwhile the central command servers controlling the infected devices are, at the moment, offline.

WireLurker iOS malware has been found among samples buried in infected mobile apps that have been downloaded over 300,000 times.

The spread of the malware illustrates that many are not expending sufficient effort on application protection and not addressing new risks that are unique to mobile applications, according to Patrick Kehoe, CMO at application protection firm Arxan Technologies.

"The iOS app was re-packaged and malicious code was inserted in the app that performed a number of nefarious activities," Kehoe explained. "Apps with unprotected binary code are at risk, because it’s quite easy for a hacker to reverse-engineer binary code back to source code.

"WireLurker was distributed via Apple’s enterprise deployment model.  WireLurker is a prime example of how [abusing Apple’s enterprise distribution program] is no longer a theoretical risk, but an active threat as seen in the wild."

Note that there are less than a dozen infections, even in China. ®

Bootnote

WireLurker is particularly noteworthy because it worked on both jailbroken as well as non-jailbroken iOS devices. The very few malware issues affecting iOS devices have all previously been restricted to jailbroken kit.

iOS devices have seen minimal malware primarily due to Apple's "walled garden"approach, which permits only approved applications to be installed from the App Store, at least on non-jailbroken iOS devices. Even on jailbroken devices there have been 20-30 strains of malware compared to the one million plus on Android and 30 million plus affecting Windows PCs.

Sponsored: Detecting cyber attacks as a small to medium business

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2020