Apple Neuters IOS WireLurker Trojan

Posted: Nov 7 2014, 9:56am CST | by , in News | Technology News

Apple neuters iOS WireLurker trojan

Researchers also find a Windows version

Apple users had been worrying since a while about the WireLurker Trojan which had been targeting the iOS devices but now Apple says that they have nipped the Trojan in the bud. And it has become clearer now that the threat posed by the Trojan was more widespread than it was initially thought as researchers found an earlier variant which had been using Windows malware to attack Apple devices. An Apple spokesperson issued a statement yesterday to Business Insider in which he said "We are aware of malicious software available from a download site aimed at users in China, and we've blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources.”

In an attempt to thwart the attack, Apple has revoked trust for a cryptographic certificate that it had previously issued to a developer. Some researchers at Palo Alto, a security firm, have exposed the WireLurker malware earlier this week. This malware apparently attacks the iOS devices through the USB connections which come from infected OS X systems. This enables the malware to be able to hijack users' information. The Trojan gained so much hype because of its ability to automatically generate malware for iOS. This could happen even if the device is not jailbroken.

The Trojan could install third-party applications on non-jailbroken iOS devices with the help of a feature called "enterprise provisioning". This relies on enterprise certificate which creates user profiles in corporate environments. You might all be wondering where this malware got its name of WireLurker from. Well, the main reason behind this name is that it infects the iOS device once it's connected via USB with an infected Mac. In total, there were 467 pieces of Mac malware that could infect iOS devices in this manner and all these hosted on a third-party site in China called Maiyadi App Store.

Only a day earlier it was widely accepted that an infected Mac was the only attack vector but thanks to security researcher Jaime Blasco from AlienVault Labs, he revealed that there was also a Windows version and it was being distributed prior to the Mac-only variant. This newly discovered Windows malware was being hosted on the public cloud of China’s answer to Google search, Baidu. In an update from Palo Alto researchers Claud Xiao and Royce Lu said "Previously we knew the WireLurker was distributed through the Maiyadi App Store. However, the newly revealed samples were directly uploaded to Baidu YunPa by user "ekangwen206".

180 Windows executables and 67 Mac OS X applications had been uploaded by this user and each one of them featured a variant of the WireLurker Trojan. In a much similar manner, malware is targeting Chinese iOS owners who have installed pirated software. Palo Alto has revealed that these 247 applications had been downloaded 65,213 times since they were uploaded on March 12 and March 13 last year. This was roughly a month earlier than the version that appeared on the Mayaidi App store. As opposed to this, the new variant had been downloaded 356,104 times.

The iOS apps which had been affected by the Trojan include the pirated versions of Facebook, WhatsApp, Twitter, Instagram, Minecraft, Flappy Bird, Bible, GarageBand, the iOS calculator, Keynote, iPhoto, Find My iPhone, iMovie and iBooks. The Windows version found on Baidu appears to be less refined predominantly because it has the ability to attack the jailbroken iOS devices. Moreover, this also seems to have been coming from the same attacker and it also holds the title of being the first iOS malware that attacks the ARM64 architecture.

"The main functionality of this malware is to copy sfbase.dylib and sfbase.plist in its Resources directory to specific locations to make them perform as a MobileSubstrate tweak, shown in Figure 7. Additionally, the malware will communicate with the C2 server '', the same server used by the version of WireLurker we revealed yesterday," wrote Xiao and Lu.

source: zdnet

This story may contain affiliate links.


Find rare products online! Get the free Tracker App now.

Download the free Tracker app now to get in-stock alerts on Pomsies, Oculus Go, SNES Classic and more.

Latest News


The Author

<a href="/latest_stories/all/all/32" rel="author">Ahmed Humayun</a>
Ahmed Humayun is a technology journalist bringing you the hottest tech stories of the day.




comments powered by Disqus