Skip to main content

WireLurker: what you need to know about Apple's biggest ever threat

Lurkin' in the trees, lurkin' in the wires

Nobody bats an eyelid when malware shows up in the Windows world, but when it manoeuvres itself Mission Impossible-style into Apple's traditionally locked-down ecosystem, everything tends to descend into a frenzy.

It's par for the course, then, that WireLurker, a strain of malware that's transferred from infected Macs to USB-connected iOS devices, has caused quite a stir in the past 24 hours.

According to Unit 42 - the threat intelligence team at Palo Alto Networks that discovered the vulnerability - WireLurker has made its way onto potentially hundreds of thousands of China-based people's Apple devices. What's more, the company reckons it has the potential to spread its tentacles much further afield.

We don't want to leave you hanging, so here's a run down of the vital information that you need to know about what has been called "a new breed of threat to all iOS devices". It has been provided by Ryan Olson, Head of Intelligence at Unit 42.

What is WireLurker?

WireLurker is a strain of malware that has been discovered in a third-party Chinese OS X app store called Maiyadi. According to Unit 42, it marks a "new era in malware across Apple's desktop and mobile platforms" and poses a threat to businesses, governments and Apple device customers worldwide.

How does it work?

Rather than attacking OS X and iOS separately, WireLurker targets both platforms at the same time. It does so by monitoring any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, depending on whether or not it's jailbroken (hence the name "wire lurker"). Researchers have succesfully pulled off similar methods fo attack non-jailbroken devices before, but WireLurker is sophisticated enough to combine several techniques to make it even more dangeous than what has gone before.

Why is it a big deal?

WireLurker can boast a number of firsts - all of which make it a particularly nasty piece of work. It's the first known strain of malware that can infect installed iOS apps in a similar way to how a traditional virus on a desktop computer would.

It's also the first-in-the-wild malware family that can install third-party apps on iOS devices that haven't been jailbroken using enterprise provisioning (a way of companies installing their own apps without going through Apple's app approval process).

Additionally, until WireLurker came along, only one other malware family was known to have attacked iOS devices through OS X via USB.

Where did it come from?

WireLurker is believed to have been built by cyber criminals in China, who have trojanised (infected) 467 OS X applications in Maiyadi. Maiyadi is also a website that provides Apple-related news and resources, whereas the app store of the same name is a sub-site known to host pirated premium Mac, iPad and iPhone apps.

USB cable

Think before you connect

What bad things will it do?

Some criminals act first and think later, which appears to be what the perpetrators of WireLurker are doing. Unit 42 reckons they're still considering their motives while developing attack plans and fine-tuning the malware to be more stealthy and harder to remove.

WireLurker is capable of stealing data - from address book contacts to Apple device information and iMessage contact details - and could be capable of much more due to its ability to communicate with a "command control server" for updates. In other words, it's constantly becoming more powerful and sophisticated.

How many people have been affected?

More than you might think. It's thought that 467 infected applications have been downloaded over 356,104 times, mainly by Mac and iOS users in China.

How can I stay safe?

Because WireLurker is only found in third-party Mac apps, you can stay safe from harm by only downloading apps from Apple's own Mac App Store. In other words: keep away from third-party app stores that aren't only infested with malware, they're of dubious legality due to reasons related to copyright and IP.

How did Unit 42 spot it?

The security vulnerability was discovered by Claud Xiao of Unit 42 after he came across a Chinese forum documenting highly suspicious files and processes on Macs and iPhones.

Xiao found that all of the apps trojanized by WireLurker included an installation interface that used a "Pirates of the Caribbean" themed wallpaper. The infected apps also use a QQ (an IM software service) account number that corresponds to the owner of the Maiyadi website. The packages also contained an application named "User Manual', which was displayed in Chinese.

So, Apple is on the case, right?

Let's be clear: although WireLurker is affecting Apple devices, it's not an Apple vulnerability. That's because the techniques that it uses are deployed using legitimate APIs either from Apple on in Cydia (a third-party app store on iOS), which is used by jail-broken devices.

However, in a statement Apple confirmed to TechRadar that it has blocked infected apps that it has identified to prevent them from launching.

Kane Fulton
Kane has been fascinated by the endless possibilities of computers since first getting his hands on an Amiga 500+ back in 1991. These days he mostly lives in realm of VR, where he's working his way into the world Paddleball rankings in Rec Room.