WireLurker Malware Attacking iOS Devices

Release Date: 11 Nov 2014 1716 Views

Recently, a security researcher discovered WireLurker, a new infection vector of mobile malware, which can infect iOS device via USB connection from Windows or Mac computers. WireLurker can steal user information on the iOS mobile devices, including address book and iMessage.

 

Summary of Analysis

 

Here is a summary of WireLurker according to the analysis report of Palo Alto Networks.

  • Attacker uploaded 180 Windows Trojan malware and 67 Mac OS X Trojan malware on an online storage from March 2014; and uploaded 467 Mac OS X Trojan malware on the 3rd party App Store in China (Maiyadi) from April 2014. The categories of the Trojan are mostly application and game.
  • When user installs and runs the Trojan malware on the PC, the malware connects to a command and control server (C&C server) for update.
  • Then, the malware starts detecting USB connection. If an iOS device connects to and synchronizes with the PC, the malware will use iTunes protocol to communicate with the iOS device, and infect it with WireLurker.
  • WireLurker can infect non-jailbroken and jailbroken iOS devices
    • If it is a non-jailbroken iOS device, WireLurker will trojanize a certain app installed on user's device. Then, it steals user information and send to C&C server.
    • If it is a jailbroken iOS device, WireLurker will request user to accept installation of malware through Enterprise Provisioning Profile1. Then, it steals user information and send to C&C server.

 

Fig. Enterprise Provisioning Profile 

Fig. Enterprise Provisioning Profile

 

On 6-Nov 2014, Apple Inc. mentioned they were aware of WireLurker, and they had blocked the identified apps to prevent from launching. Apple warned users to download software only from trusted sources.

 

Implications

  • Attacker uses the third party app store to distribute Mac OS X and iOS malware.
  • Attacker uses infected Windows PC or Mac OS X computers to spread malware to iOS devices.
  • Attacker tries to lure user to bypass the trust mechanism in iOS devices.

 

Recommendation

 

HKCERT suggests the following actions to mitigate security threat from WireLurker.

  • Download and install software from trusted sources and App Store on your PC and iOS device.
  • Install security software and update the latest security definition on your PC, including Windows and Mac OS X.
  • Do not jailbreak your iOS device
  • Do not connect your iOS device to unknown computers or devices
  • Go to "Settings > General > Profiles" to check any suspicious profile. Remove the profile and its relevant application.

 

Note 1: Enterprise Provisioning Profile is usually used by companies to distribute corporate mobile app without submitting to App Store. A distribution provisioning profile identifies the distribution certificate for an app and authorizes devices to use the app.

 

 

Reference:

https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-windows/

http://blogs.wsj.com/digits/2014/11/06/apple-blocks-chinese-iphone-hacks/

 

Share with

Previous

Favourite Security Reads of the Week (7 Nov 2014)

7 Nov 2014 1299 Views

Next

Favourite Security Reads of the Week (14 Nov 2014)

14 Nov 2014 1543 Views

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY