OS X malware infecting connected iPhones, iPads

Researchers say WireLurker can infect installed iOS applications, automate a generation of malicious iOS applications and spread through enterprise provisioning.
Written by Larry Seltzer, Contributor

Researchers at network security company Palo Alto Networks have uncovered a new and sophisticated form of malware which attacks iOS devices through USB connections from OS X systems. They have called it WireLurker.

Palo Alto Networks says that "...this malware family heralds a new era in malware" and if the claims are true, the find is indeed significant. It is the first malware to generate malicious iOS applications automatically through binary file replacement and can infect installed iOS applications.

The company provides more detail in a report entitled "WireLurker: A New Era in OS X and iOS Malware."

The malware was observed in the Maiyadi App Store, a third-party Mac application store in China. According to the report: "In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users."

According to Palo Alto Networks, WireLurker, running on an OS X system, can install either downloaded third-party applications or automatically generate malicious applications onto a USB-connected iOS device, regardless of whether it is jailbroken.

The malware is able to install malicious and infected programs on non-jailbroken iOS devices, according to the report, by using enterprise provisioning techniques, thus appearing to be an in-house application. The user is presented with a confirmation dialog box such as the one shown below, but otherwise the application will behave the same as an uninfected one.

The goal of the malware is not yet clear. It is capable of much and checks back frequently for updates from a command and control server.

Palo Alto's recommendations are good advice in any event: Don't use third-party app stores, keep operating system software up to date, don't pair iOS devices with untrusted desktop systems and don't accept an unknown enterprise provisioning profile unless an authorized, trusted party explicitly instructs you to do so.

They also recommend using a mobile security application such as their own GlobalProtect.

Provisioning of an infected application. Image via Palo Alto Networks.
Editorial standards