Site icon Check Point Blog

WireLurker Exposes iOS Security – Jailbreak Not Required

Yesterday, Palo Alto Networks published a report regarding “WireLurker,” new malware it describes as one of the most advanced attacks on Mac OS X and iOS devices. It’s the first to affect two operating systems, and introduces on-the-fly repackaging of apps on iOS devices that have and, more importantly, that have not been jailbroken.

This is another example of how cybercriminals are moving from the desktop to mobile. And while iPhones are considered more secure by some, WireLurker demonstrates how hackers are using new techniques and security gaps in iOS to infect devices.

For the enterprise, the warning is clear: This type of threat is no longer limited to specific geographies. Anyone using iOS devices, whether for personal and/or for work purposes, can be infected quickly and easily, exposing sensitive data to cybercriminals.

Where did WireLurker come from?

Initial reports about WireLurker began surfacing in June when a worker at Tencent (the Chinese company behind QQ) witnessed suspicious activity on his Mac and iOS device.

The source of WireLurker was then linked to the Maiyadi third-party app store for iOS and OS X. This app store contains a large number of trojanized apps repackaged with the additional WireLurker code.

How does WireLurker work?

WireLurker is composed of two components, each one intended to execute on a different platform:

OS X

 iOS

Why is this significant?

While the security community has discussed the enterprise certificate attack vector in the past, this is the first time malware that attacks iOS devices that haven’t been jailbroken has been spotted in the wild.

It’s important to note, that while this malware was first discovered in China, it’s not geographically limited and can easily be installed on OS X and iOS devices worldwide. Furthermore, once this code is spotted in the wild, it can be altered and used by other threat actors with different targets.

As mentioned, the re-packaged apps were signed using compromised certificates.  

Apple’s enterprise certificate mechanism allows every developer to distribute apps without going through the App Store, which means every iOS device is exposed to installation of apps from untrusted sources. Creating and deploying enterprise apps without the need to go through the App Store is a key component in the industry today. So it’s hard to see how Apple will change this distribution process.

What can you do?

Today, Apple does not allow you to restrict installation of enterprise certificate-signed apps. And only asks for permission upon installation. In order to identify this threat, you should install a third-party app that monitors for and sends alerts when these kind of apps are installed on a device. In addition, jailbreak detection apps should also be installed on any iOS device, including those running iOS 8 which has already been exposed to jailbreaking.

Can Lacoon protect me?

Yes, Lacoon is designed to detect and alert when apps signed using compromised certificates are installed on mobile devices. In addition, Lacoon detects if an iOS device is jailbroken so appropriate measures can be taken to protect the device and its data.

Exit mobile version