(Updated with Apple statement below.)
A new class of malware targeted at OS X and iOS is spreading like wildfire in China, according to new research by Palo Alto Networks. Dubbed WireLurker, the trojan hides itself in apps distributed through a third-party Chinese app store for OS X and side-loads itself onto iOS devices via USB.
What sets WireLurker apart from other malware is that it is capable of infecting non-jailbroken iOS devices, and it heralds “a new era in malware attacking Apple’s desktop and mobile platforms.”
The malware is contained in China for now, a country that’s in the midst of a lot of tension with Apple over privacy and government spying concerns. Palo Alto Networks says the way WireLurker targets Apple users is “the biggest in scale we have ever seen.”
More than 400 infected apps have been distributed through the Maiyadi App Store, a popular third-party repository in China. The apps have been downloaded 356,104 times and have potentially infected “hundreds of thousands of users.”
How has WireLurker been able to spread so easily? It’s first “in-the-wild” malware to silently install unsigned code on iOS via enterprise provisioning profiles, which are designed to let corporations distribute internal apps without going through the App Store. Many retro game emulators have worked on iOS in the past by taking advantage of enterprise profiles.
On non-jailbroken devices, WireLurker merely installs a fake comic book app. On jailbroken devices, it behaves more nefariously by spying on financial apps like AliPay. The unknown creator’s “ultimate goal is not yet clear,” but the malware is still “under active development.”
“They are still preparing for an eventual attack,” Palo Alto Networks told The New York Times. “Even though this is the first time this is happening, it demonstrates to a lot of attackers that this is a method that can be used to crack through the hard shell that Apple has built around its iOS devices.”
Apple has been notified about WireLurker but has not returned Palo Alto Networks’ request for comment.
Update: Apple has issued a statement to iMore on the matter. The company says it’s revoked the enterprise certificate WireLurker uses to install malicious apps.
“We are aware of malicious software available from a download site aimed at users in China,” an Apple spokesperson told iMore, “and we’ve blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources.”
Source: Palo Alto Networks