Ushering in a new threat landscape for iPhone users, security researchers have uncovered an active malware operation that compromised the OS X and iOS devices of hundreds of thousands of people.
WireLurker, as the new family of malware has been dubbed, first took hold of Macs when users installed pirated software that had been laced with malicious code, according to a report published Wednesday by researchers from Palo Alto Networks. The trojan then installed itself as an OS X system daemon and waited for iOS devices to connect over USB interfaces. The infected Macs would then grab the serial number, iTunes store identifier, and if available, phone number of the iOS device and send the data to a server controlled by the operators. WireLurker-infected phones were also loaded up with a variety of unwanted apps. Palo Alto Networks researchers found 467 OS X WireLurker-infected applications available on Maiyadi, a third-party app store located in China. The apps were downloaded 356,104 times, a figure indicating that hundreds of thousands of people likely were hit by the infection.
"Viable means of attack"
At first blush, WireLurker doesn't look like much of a threat. For one thing, it targeted a relatively small number of people in a limited geography who all appeared to have ties to pirated software. On top of that, once it gained persistence on a Mac or iDevice, WireLurker stole only a small amount of data and installed mostly innocuous apps. But there are reasons WireLurker could be important to iOS users everywhere. Chief among them, the infected Macs were able to compromise non-jailbroken iPhones and iPads by abusing the trusted iOS pairing relationship and enterprise provisioning, a mechanism that allows businesses to install custom-written apps on employee devices.
"The real issue is that the design of iOS' pairing mechanism allows for more sophisticated variants of this approach to easily be weaponized," wrote Jonathan Zdziarski, an iOS forensics expert who analyzed WireLurker, in an independent review of the Palo Alto Networks report. "While WireLurker appears fairly amateur, an NSA or GCHQ, or any other sophisticated attacker could easily incorporate a much more effective (and dangerous) attack like this." While Apple can easily block individual attacks by revoking specific certificates, Zdziarski went on to recommend iOS architects incorporate more proactive design changes to prevent similar attacks. He wrote:
It would greatly behoove Apple to address this situation with more than a certificate revocation; I’m not scared of WireLurker, but I am concerned that this technique could be weaponized in the future, and be a viable means of attack on public and private sector machines. It could easily be attached to any software download in-transit across non-encrypted HTTP, such as an Adobe Flash download or other software download. Social engineering would also help to make juicy targets out of people likely to click on links from IT departments or install software on their Mac. There are a number of potentially more dangerous uses for WireLurker, and unfortunately many of them will go unnoticed by Apple in time to revoke a certificate. It would be a much better solution to address the underlying design issues that make this possible.
According to Palo Alto Networks, WireLurker is only the third confirmed case of malware being actively installed on non-jailbroken iOS devices. The first case reportedly involved adware known as LBTM, while the second was the so-called Find and Call worm, which was abruptly pulled from Apple's App Store once it was discovered.
The ability to install non-Apple-approved apps on non-jailbroken devices by abusing enterprise provisions is by no means novel, Wednesday's report noted. It counted at least five Mac or PC apps available over the past 22 months that have used the libmobiledevice library to install pirated apps on non-jailbroken iPhones or iPads. The report also noted a presentation in September at the Virus Bulletin conference by researchers who warned of the risk stemming from Apple's enterprise distribution program.
"According to their research, any application can bypass Apple review, arbitrarily invoke private iOS APIs, monitor user behavior, and exploit vulnerabilities in a non-jailbroken iOS device by leveraging an enterprise provisioning profile," the Palo Alto Networks report stated. "WireLurker is a prime example of how this is no longer a theoretical risk, but an active threat as seen in the wild."
Promoted Comments
Not exactly a "new era" ... users who pirate and install apps from non-blessed sources have been vulnerable to a variety of exploits. This isn't all that different.
Hence the walled garden, through which, as far as I know, there haven't been any significant attacks yet.
The point is
10 points for using 'behoove', but I'm sorry.... I might come across a bit jaded: this "this might not be a great threat, but it's a warning shot of things to come. It can be weaponized in the future. We'll proably see a lot more of this in the year ahead." is the same tired old story us Mac users have heard for years and years and years from people eager to sell security software and their ilk.
If I understand this correctly, and maybe I don't, the way to initialize an attack is for this malware to piggyback on a softwareinstallation on a Mac, one that the user think is legitimate, then, once the user approves installation, to lurk around for a USB-connection to initialize for an iOS device, and thus infect that.
But will not the Mac installation be stopped by the system when the default behavior is to only allow installation of signed apps, isn't part of that using a checksum that will not check out if the installation has been altered in transit?
And Apple has revoked the certificate already. I understand it doesn't stop new attacks of this kind, but I just think using the phrase 'ushers in a new era' is a tad hyperbolic when you take a look at the total risk assessment of this type of attacks
You must login or create an account to comment.