Wirelurker Malware Can Enter Non-Jailbroken Devices Too. What Can You Do?

Cybercriminals are following the mobile money trail, and this time, the victims are Apple users. So while tech analysts were touting how Apple could gain from a huge market where it was previously not a player, cybercriminals seem to want to profit just the same. 

WireLurker was used to create fake versions of popular apps on a third-party Mac application store in China. And since then, the latest threat to target Mac and iOS devices has been making the news rounds. Labeled as “the most advanced,” “a wake-up call,” and “vicious,” Wirelurker is being described in a way that often leads to unnecessary panic.


Is there cause for panic?

In reality, the newly discovered malware family is a significant threat. Researchers who discovered WireLurker thinks it's big, saying that "of the known malware families distributed through Trojanized/ repackaged OS X applications, (this is) the biggest in scale we have ever seen."

And it has taken its toll. Since April this year, hundreds of thousands of users have found themselves victims after downloading any of the 467 infected applications in the said third-party app store. Despite all these, there are several points Mac and iOS users need to know to not panic and stay safe, as we have previously clarified.  

For one, the threat is not active anymore. Known variants have already been blocked, command-and-control servers are down, and Apple has revoked the stolen certificate that enabled the attack. Since the fix, WireLurker still manages to get into non-jailbroken devices. However, we haven't discovered any malicious behavior on the part of these apps. The apps that contain the malicious backdoors can only be installed onto jailbroken devices. In addition, iOS shows a pop-up and asks for the user’s permission before installing an app via enterprise provisioning app. In non-jailbroken devices, these also run within their own sandbox, so they need permission to access contacts, location information, and other sensitive information.

“The development of Mac malware is still in its early stages compared to Windows, that’s why repackaging apps is an easy and effective way for bad guys to attack Mac computers,” says Trend Micro threat researcher Spencer Hsieh.

This attack vector has been around for years; the difference is that, with WireLurker, the malware was successful in making the jump from Mac computers to iOS devices, both jailbroken and non-jailbroken.

How did WireLurker get into non-jailbroken Apple devices?

WireLurker was able to scale the iOS walled garden because of a shortcut.

Now even as many Apple device users believe in the strength of the company’s “walled garden” approach, Mac and iOS users are no newbies to the world of threats. In fact, a number of notable malware have been known to plague Mac users in the past. However, it has always been difficult to attack iOS devices themselves.

Knowing this, cybercriminals made WireLurker in such a way that it would pass through Mac and then to the iOS device. The easiest way to do this is by using Trojanized apps, especially as the OS does not normally allow any software installation or program execution without the user’s permission. As such, downloading pirated software installers on Mac is a known way to get infected. Cybercriminals have been using it to get inside Mac systems for so many years. It also helps the bad guys that only a few Mac users use security software for Mac.

Looking at the malware closely, we found that it first infects computers running Mac OS X via pirated software. It then monitors iOS devices via connected USBs and infects them as well.

This is how WireLurker successfully infiltrated both jailbroken and non-jailbroken devices. However, the effects vary. If it’s not jailbroken, no malicious behavior happens. If it is, a backdoor is installed and iOS shows a pop up and asks for the user’s permission before installing an app via enterprise provisioning, a known attack vector for attacking iOS devices. After this, it can then steal information.

What can Mac and iOS users do about this?

Knowing these, affected Apple device users should take note of the following:

  • Do not jail break your iOS device.
  • Make sure your Mac and iOS are up-to-date.
  • Do not install any pirated software or software from untrusted sources. Only install software from the official App store.
  • Install security software on your Mac and make sure you always have the latest update.
  • Make sure you only connect your iOS devices to computers that you trust.
  • Remove any suspicious profiles from your iOS devices
  • Carefully review any iOS application’s request for access to your camera, contacts, microphone, location information, and other sensitive data.

For enterprises, take note of the following steps:

  • Make sure you properly secure your private key.
  • Make sure only those necessary employees can access the private key.
  • Remember to deny former employees or team members’ access to the private key.
  • Pay attention to the installation request from enterprise provisioning applications. Allow only those from trusted sources to be installed on your device.
  • Revoke your certificate(s) as soon as possible if you feel your private key has been compromised.


Update: Not long after news about WireLurker iOS malware broke-out, China has taken down the websites responsible for the WireLurker malware and has arrested three suspects around two weeks after it was discovered by Palo Alto Networks.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.