WireLurker: Apple blocks Trojanized apps, revokes certificate

The news that Chinese Apple users have been targeted with an unprecedented type of malware that compromises both machines running OS X and devices running iOS has resounded across the Internet on Thursday.

“We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching,” Apple has commented the news. “As always, we recommend that users download and install software from trusted sources.”

The company has also revoked the cryptographic certificate used to sign WireLurker, but security researchers have pointed out that this is just a stop-gap measure, and that a change in design is needed to prevent similar attacks in the future.

According to Tielei Wang, a researcher at Georgia Institute of Technology, Apple should have done something sooner as they were appraised about the feasibility of such an attack.

Wang and his colleagues have shared their research and information about a similar proof-of-concept attack earlier this year, and have presented their paper at the USENIX Security Symposium in August.

According to Tim Greene, Wang is also worried that similar Trojanized apps could end up on the company’s official App Store, and that attackers could take advantage of the fact that an Apple enterprise developers’ license can be used to generate legitimate signatures for malicious iOS apps.

Since yesterday, the C&C servers controlling the infected devices have been taken offline. AlienVault Labs’ researcher Jaime Blasco has also discovered a Windows executable that contains WireLurker’s C&C server address.

“We analyzed and investigated the sample and have confirmed that it is an older version of WireLurker,” Palo Alto researchers noted. “This variant is being distributed by a different Chinese source that is hosting 180 Windows executables and 67 Mac OS X applications, each of which contains a version of the WireLurker Trojan. The Windows variant opens a new vector for iOS users to be infected with WireLurker, but appears to have been less successful than its Mac OS X descendent.”

They also discovered malware samples uploaded to a public cloud storage service of Baidu by a user a month before the apps were made available on the Mayaidi app store, and they have reason to “suspect that Maiyadi has a close relationship with the creator of WireLurker.”

“This should also be a wake-up call for Apple users and the way they think about security,” commented Kaspersky Lab’s Stefan Tanase. “Just like Mac OS X malware quickly evolved from being just a myth to becoming a sad reality, we are seeing iOS being targeted more and more often lately – with nobody being able to offer protection for this platform. Anti-malware vendors are still not allowed to develop protection for iPhone users.”

“End users of non-jailbroken iOS devices are typically unable to load third party applications, and are therefore somewhat protected from malware attacks propagated through app installs,” says Webroot Senior Threat Analysts Michael Sweeting. “OSX.WireLurker however is a new approach to infecting iOS devices with information stealing malware, by infecting third party application installers for OSX, and in turn infecting the iOS device once connected to the Mac via USB.”

“This type of infection should once again remind Mac and iOS users alike that these devices are not immune to attacks, and even bigger more sophisticated attacks may be on the horizon. Users should continue to exercise caution and prudence, and should avoid downloading Mac software from third party app stores.​”

Palo Alto Networks’ Ryan Olson says that they don’t expect this WireLurker malware to spread to the United States, but the tactics that it uses are likely to be copied by new attackers who could have new targets in mind.