Recently, an online security researcher has warned that a new malware targeting Apple products is mostly affecting Chinese users.
WireLurker, a new malware, which is affecting Apple’s desktop and mobile operating systems seems to have originated in China and is mostly affecting devices there, US-based Palo Alto Networks said.
The malware spreads through apps uploaded from a third-party store and can steal information.
US-based Palo Alto Networks said, more than 400 infected apps have been downloaded over 350,000 times.
Ryan Olson, the company’s intelligence director, said “WireLurker is unlike anything we have ever seen in terms of Apple iOS and OS X malware.”
“When it comes to exploiting some of the world’s best-known desktop and mobile platforms, the techniques in use suggest that bad actors are getting more sophisticated,” he added.
WireLurker has the ability to transfer from Apple’s Mac computer to mobile devices through a USB cable. The malware was capable of stealing “a variety of information” from mobile devices, it infects and regularly requested updates from the attacker’s control server, the security firm said.
“This malware is under active development and its creator’s ultimate goal is not yet clear,” the firm added.
Right after the incident, Apple has issued a brief statement, “We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching.”
“As always, we recommend that users download and install software from trusted sources,” Apple added.
Palo Alto Networks revealed that the WireLurker was first noticed in June when a Chinese firm Tencent’s developer realized there were apprehensive files and processes happening on his Mac and iPhone.
Further inquiries revealed a total of 467 Mac programs listed on the Maiyadi App Store had been compromised to include the malware, which in turn had been downloaded 356,104 times as of 16th Oct.
Infected software included popular games including Angry Birds, The Sims 3, Pro Evolution Soccer 2014 and Battlefield: Bad Company 2.
Once the malware was on the Mac, it communicated with a command-and-control server to check if it needed to update its code, and then waited until an iPhone, iPad or iPod was connected.
The security firm officials reveal that, when an iOS device connects with the malware, it would check if the device was jailbroken — a process used by some to remove some of Apple’s restrictions.
If it was jailbroken, WireLurker backed up the device’s apps to the Mac, where it repackaged them with malware, and then installed the infected versions back on to the iOS machine. However, if the device was not jailbroken – that is the case for most iOS devices – WireLurker took advantage of a technique created by Apple to enable businesses to install special software on their staff’s handsets and tablets.
Now the malware place infected apps on the device that had been signed with a mock “enterprise certificate” – code added to a product that is supposed to prove it comes from a trustworthy source.
Now, a permission request pops up the targeted iOS device on the user’s first attempt to run an infected app, to ensure the certificate acceptance by the device.
It simply asked for permission to run the app, but if the user clicked continue’ it installed code called a ‘provisioning profile’, which told the iOS device it could trust any other app that had the same enterprise certificate.
While this malware technique was not a new concept, it was the only known example of it being used to target non-jailbroken iOS devices in the wild, Palo Alto Networks said.
Once installed, the malware provide information about the iOS device to the hackers, including phone numbers from its Contacts app, and the user’s Apple ID.
Different versions of WireLurker also automatically installed new apps on the devices – including a video game and a comic book reader. Though, they are harmless; experts warn they could represent a test run for other more damaging software.
Prof Alan Woodward, from the University of Surrey said, “People have got very used to iOS being secure and there is a danger they may be complacent about the risk this presents.”
News of the attack comes after Apple’s iCloud storage service in China was attacked by hackers trying to steal user information last month.
Greatfire.org, Chinese web monitoring group said, “Hackers seized data and potentially gained access to passwords, messages, photos and contacts. They believed the Beijing government was behind the move.”
Although, the Chinese government denied the claims and was backed by China Telecom — state-owned internet provider, which said the claim was “false and baseless”.
China, which is the world’s biggest smartphone market and Apple saw its iPhone sales there jump 50% in the April to June quarter from a year earlier.
Palo Alto Networks has recommended some precautions for the users in order to minimize the risk of attack;
- Do not download Mac apps from third-party stores
- Do not jailbreak iOS devices
- Do not connect their iOS devices to untrusted computers and accessories, either to copy information or charge the machines
- Do not accept requests for a new “enterprise provisioning profile” unless it comes from an authorized party, for example the employer’s IT department