Last week, Palo Alto Networks reported the discovery of new malware that targets iOS and OS X, the operating systems used by Apple’s iPhone, iPad and Mac devices. Historically, malware and viruses have been directed at Microsoft Windows and its 90% install base. The growing use of Apple devices will start to put them at greater risk.
WireLurker is likely the first of what will be a growing array of malware targeting iOS and OS X. We may look back on it as the canary in the coal mine for end users and IT administrators alike.
distributing the malware
All malware requires a method of transmission (also known as the vector). In this case, the malware was distributed via an unofficial Chinese app store called Mayaidi. There are a number of these app stores and they typically specialize in distributing illegally pirated software (known as ‘warez’).
Lesson #1: Don’t download apps from 3rd party sources…and avoid pirated software.
hacking your device
iOS has been built from the ground up with security in mind. So simply downloading an infected (also known as “Trojanized”) app is not enough to compromise your system. WireLurker, on its own, is harmless. Some users hack into their devices (called “jailbreaking”) and jailbroken iPhones are immediately vulnerable.
Lesson #2: Don’t jailbreak or otherwise hack your devices
stolen certificate
The most dangerous and troubling part of WireLurker is that the hackers found a way to bypass the iOS built-in security using a stolen Enterprise Certificate. Certificates are a digital object that authorizes software to perform certain actions on a system. Apple grants Certificates to legitimate software developers, but the WireLurker hackers appear to have stolen one. Apple has since revoked the stolen certificate, rendering the current variation of WireLurker ineffective. But, as security expert Jonathan Zdziarski notes on this blog, it is not hard to potentially steal another certificate, or even download a new certificate once installed.
Lesson #3: Apple has stopped the immediate threat, but there is a larger one looming
other security issues
Once infected, WireLurker sends a modest amount of mostly trivial information back to a “command and control infrastructure” back in China. This is the hackers’ server farm, essentially. Apple has also reported shutting down this infrastructure.
WireLurker also spreads to your computer by using the trusted connection from the iPhone or iPad via iTunes on a Mac. Once the computer is infected, WireLurker can harvest more information.
the good news
The good news is that the certificate has been revoked, so WireLurker is essentially inactive. The command and control infrastructure has been shut down, so there is nowhere for stolen information to be sent.
If you think you might have WireLurker — which is unlikely — you should still test your devices and take steps to remove it.
the bad news
The bad news is that Apple has done little more than address this specific threat. Imagine a colony of rats living outside your apartment and one eventually sneaks in through tunnel. Apple has trapped this particular rat, but done nothing to close up the tunnel. It’s only a matter of time before the next rat appears.