Remember Apple, the company that used to say that its products are too good to get infected with viruses and trojans? Well, iOS and OS X devices have just had their first serious malware infestation ever.
Originating in a third-party Chinese OS X app store called Maiyadi, the WireLurker trojan is according to Unit 42 “new era in malware across Apple’s desktop and mobile platforms.” It is easily transfered from MacOS computers to iOS devices through an USB cable, and it is estimated that 800 million iPhone users could be affected.
The WireLurker trojan shows its Windows roots, as an earlier variant has been using malware made for Microsoft’s OS to attack Apple devices. It’s particularly dangerous as it represents the first malware to install apps on non-jailbroken iPhones using enterprise provisioning.
“We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources,” explained an Apple spokesperson in a statement to Business Insider.
“Previously we knew the WireLurker was distributed through the Maiyadi App Store. However, the newly revealed samples were directly uploaded to Baidu YunPa by user ‘ekangwen206’,” added Palo Alto researchers Claud Xiao and Royce Lu.
“The main functionality of this malware is to copy sfbase.dylib and sfbase.plist in its Resources directory to specific locations to make them perform as a MobileSubstrate tweak, shown in Figure 7. Additionally, the malware will communicate with the C2 server ‘www.comeinbaby.com’, the same server used by the version of WireLurker we revealed yesterday,” explained Xiao and Lu.
iOS forensics expert Jonathan Zdziarski pointed out that “Apple can revoke the enterprise certificate to prevent installation on iOS 8 devices; however WireLurker can still read information from the device without it. This is because the information is queried by the Mac desktop when your iPhone is plugged into it, by abusing that trusted relationship. Also, if you have a jailbroken iPhone running afc2 (a terribly insecure service allowing root file system access to the device), then a mobile substrate library is copied onto the device to infect the system. This is done regardless of whether or not WireLurker still has a valid enterprise profile.”