(Updated with Apple statement below.)
A new class of malware targeted at OS X and iOS is spreading like wildfire in China, according to new research by Palo Alto Networks. Dubbed WireLurker, the trojan hides itself in apps distributed through a third-party Chinese app store for OS X and side-loads itself onto iOS devices via USB.
What sets WireLurker apart from other malware is that it is capable of infecting non-jailbroken iOS devices, and it heralds “a new era in malware attacking Apple’s desktop and mobile platforms.”
The malware is contained in China for now, a country that’s in the midst of a lot of tension with Apple over privacy and government spying concerns. Palo Alto Networks says the way WireLurker targets Apple users is “the biggest in scale we have ever seen.”
More than 400 infected apps have been distributed through the Maiyadi App Store, a popular third-party repository in China. The apps have been downloaded 356,104 times and have potentially infected “hundreds of thousands of users.”
How has WireLurker been able to spread so easily? It’s first “in-the-wild” malware to silently install unsigned code on iOS via enterprise provisioning profiles, which are designed to let corporations distribute internal apps without going through the App Store. Many retro game emulators have worked on iOS in the past by taking advantage of enterprise profiles.
On non-jailbroken devices, WireLurker merely installs a fake comic book app. On jailbroken devices, it behaves more nefariously by spying on financial apps like AliPay. The unknown creator’s “ultimate goal is not yet clear,” but the malware is still “under active development.”
“They are still preparing for an eventual attack,” Palo Alto Networks told The New York Times. “Even though this is the first time this is happening, it demonstrates to a lot of attackers that this is a method that can be used to crack through the hard shell that Apple has built around its iOS devices.”
Apple has been notified about WireLurker but has not returned Palo Alto Networks’ request for comment.
Update: Apple has issued a statement to iMore on the matter. The company says it’s revoked the enterprise certificate WireLurker uses to install malicious apps.
“We are aware of malicious software available from a download site aimed at users in China,” an Apple spokesperson told iMore, “and we’ve blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources.”
Source: Palo Alto Networks
Alex Heath is a journalist who works for Tech Insider. He’s the former co-host of The CultCast. He has been quoted by the likes of the BBC, KRON 4 News, and books like “ICONIC: A Photographic Tribute to Apple Innovation.” He lives in Lexington, Kentucky. If you want to pitch a story, share a tip, or just get in touch, additional contact information is available on his personal site. Follow him on Twitter.
8 responses to “First malware targeted at non-jailbroken iPhones spreads in China”
Apple has got to ramp up their security efforts. While this is something that is currently propagated through an unofficial appstore, it’s still a major issue. How can I trust downloading XBMC for example and any app that’s not on the App Store?
Some would say don’t. But I think this will be fixed with a simple update. This maybe why Apple created the Mac App store in the first place.
Glad I don’t live in China lol
Does Anyone know where that wallpaper on the phone is from? It’s insanely bad ass.
of course one has to install a provisioning profile on their iDevice to allow this to happen and doing so to install 3rd party apps (e.g. pirated free stuff) is obviously high risk. This article of course spreads FUD and it’s not new; the risk of installing unknown provisioning profiles has been covered by the tech media long ago.
Party approved malware no doubt.
The truth is: Apple’s walled-garden policy had gracefully prevented a fierce malware from doing any damage to non-jailbreak users in this case.
In the story the enterprise provision is described as a source of glitch or vulnerability, and it makes people to believe that malware can exploit this vulnerability to inject poison and steal you precious data without your attending. But it’s not.
On non-jailbroken device the app is injected, but not activated. Only after user have manually authorised the iOS to install necessary enterprise certifications, and then the app can be loaded. It’s one of the standard procedures of enterprise provision to let users install apps outside of iTunes store, and the malware can not bypass this. Furthermore, the injected app is still under the control of iOS, and is banned from doing anything evil, such as accessing you contacts without permission.
So basically this issue is another EBKAC, just like all the other Mac malwares. You have to manually download unidentified Mac apps from uncertified source, and you have to manually authorise your Mac to execute unidentified apps, and you have to manually authorise your iDevice to trust your computer, and you have to manually authorise iOS to install some suspicious certification from some unknown enterprise. I personally don’t know what else Apple can do to save users from their stupidness.
Maybe Apple can implement more comprehensive handshaking procedure adapting cryptograph approaches to kill any non-iTunes sync tools (including iTools), or maybe Apple can simply add extra authentication confirm for each iTunes sync transaction. However, due to some obvious reason, I don’t think it’s a good idea.
If I were Apple, I would response this to Palo Alto: You jailbreak it, you take responsibility for it.
Exactly! I don’t see any chance that a normal user’s phone gets infected. If someone is that stupid to go though the steps you mentioned, then he deserves it. I would call it a “Digital Darwin Award”