Apple neuters iOS WireLurker trojan, researchers find a Windows version

Apple has thwarted WireLurker, discovered earlier this week, which has been targeting iOS users both through PCs and Macs.
Written by Liam Tung, Contributing Writer

Apple says it has nipped the WireLurker Trojan, recently found to be targeting iOS devices, in the bud. However, it appears the threat was more widespread than was previously realised, after researchers discovered an earlier variant has been using Windows malware to attack Apple devices.

"We are aware of malicious software available from a download site aimed at users in China, and we've blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources," said an Apple spokesperson yesterday in a statement to Business Insider. Apple did not respond to request for comment.

In essence, to thwart the attack, Apple has revoked trust for a cryptographic certificate that it had previously issued to a developer.

Researchers at security firm Palo Alto exposed the WireLurker malware earlier this week, which attacks iOS devices through USB connections from infected OS X systems to hijack users' information. The malware was notable due to its ability to automatically generate malware for iOS — even if the device is not jailbroken.

WireLurker was able to install third-party applications on non-jailbroken iOS devices through a feature known as "enterprise provisioning" that relies on an enterprise certificate to create user profiles in corporate environments.

The reason it was called WireLurker is that it infects the iOS device once it's connected via USB with an infected Mac. There were 467 pieces of Mac malware that could infect iOS devices in this manner, all hosted on a third-party site in China called Maiyadi App Store.

Yesterday, it was believed that an infected Mac was the only attack vector, but security researcher Jaime Blasco from AlienVault Labs, discovered that there was in fact a Windows version too and it was being distributed prior to the Mac-only variant.

The newly discovered Windows malware was being hosted on the public cloud of China’s answer to Google search, Baidu.

"Previously we knew the WireLurker was distributed through the Maiyadi App Store. However, the newly revealed samples were directly uploaded to Baidu YunPa by user "ekangwen206"," Palo Alto researchers Claud Xiao and Royce Lu said in an update.

That user had uploaded 180 Windows executables and 67 Mac OS X applications, each of which contained a variant of the WireLurker Trojan.

In similar fashion, the malware is targeting Chinese iOS owners who install pirated software, with the Windows malware advertised as installers for certain pirated iOS apps. According to Palo Alto, these 247 applications had been downloaded 65,213 times since they were uploaded on March 12 and March 13 last year — around a month prior to the version that appeared on the Mayaidi App store. (The newer variant had been downloaded 356,104 times.) 

The trojanised iOS apps included pirated versions of Facebook, WhatsApp, Twitter, Instagram, Minecraft, Flappy Bird, Bible, GarageBand, the iOS calculator, Keynote, iPhoto, Find My iPhone, iMovie and iBooks.

The Windows version on Baidu appears to have been less refined, since it could only carry out an attack on jailbroken iOS devices. However, it is also believed to have come from the same attacker as well as being the first iOS malware that attacks the ARM64 architecture.

"The main functionality of this malware is to copy sfbase.dylib and sfbase.plist in its Resources directory to specific locations to make them perform as a MobileSubstrate tweak, shown in Figure 7. Additionally, the malware will communicate with the C2 server 'www.comeinbaby.com', the same server used by the version of WireLurker we revealed yesterday," wrote Xiao and Lu.

Although Apple has yanked the certificate, iOS forensics expert  Jonathan Zdziarski has pointed out that it only resolves part of the threat. 

"Apple can revoke the enterprise certificate to prevent installation on iOS 8 devices; however WireLurker can still read information from the device without it. This is because the information is queried by the Mac desktop when your iPhone is plugged into it, by abusing that trusted relationship. Also, if you have a jailbroken iPhone running afc2 (a terribly insecure service allowing root file system access to the device), then a mobile substrate library is copied onto the device to infect the system. This is done regardless of whether or not WireLurker still has a valid enterprise profile," wrote Zdziarski.

He added that the attacker could simply substitute the revoked certificate with additional certificates to revive the malware. Zdziarski also lists a number of design changes that Apple could implement to avoid improved versions of WireLurker from harming users.

Read more on iOS security

Editorial standards