Yesterday, Palo Alto Networks published a report regarding “WireLurker,” new malware it describes as one of the most advanced attacks on Mac OS X and iOS devices. It’s the first to affect two operating systems, and introduces on-the-fly repackaging of apps on iOS devices that have and, more importantly, that have not been jailbroken.
This is another example of how cybercriminals are moving from the desktop to mobile. And while iPhones are considered more secure by some, WireLurker demonstrates how hackers are using new techniques and security gaps in iOS to infect devices.
For the enterprise, the warning is clear: This type of threat is no longer limited to specific geographies. Anyone using iOS devices, whether for personal and/or for work purposes, can be infected quickly and easily, exposing sensitive data to cybercriminals.
Where did WireLurker come from?
Initial reports about WireLurker began surfacing in June when a worker at Tencent (the Chinese company behind QQ) witnessed suspicious activity on his Mac and iOS device.
The source of WireLurker was then linked to the Maiyadi third-party app store for iOS and OS X. This app store contains a large number of trojanized apps repackaged with the additional WireLurker code.
How does WireLurker work?
WireLurker is composed of two components, each one intended to execute on a different platform:
OS X
- The first step of the infection happens on OS X when WireLurker is installed through a third-party app store.
- Following installation, the app monitors USB ports for an iOS device to be connected to the infected computer.
- When an iOS device is connected, the second stage of infection is initiated –
- WireLurker queries information on the connected device using the libimobiledevice library, which enables it to obtain information like the device phone number, device type, the user’s Apple ID and Wi-Fi information.
- WireLurker then checks if the device is jailbroken in order to see which attacks can be used against the device.
iOS
- iOS devices that have not been jailbroken
- WireLurker installs predefined apps signed by an enterprise certificate connected to the developer “Hunan Langxiong Advertising Decoration Engineering Co., Ltd.” This certificate is known as a comprised enterprise certificate used by other non-App Store apps, such as moviebox.
- WireLurker will install one or several apps, depending on the specific version of WireLurker variant. Among the apps found are a Chinese game and a comics reader.
- These compromised apps send information from the device which includes the device identifier.
- Jailbroken iOS devices
- WireLurker downloads specific, predefined apps from the device, injects malicious code into these apps, then re-installs them back onto the device.
- In addition, WireLurker installs a Cydia repository app, that collects sensitive information from the device such as phone records, messages, browsing history and more.
Why is this significant?
While the security community has discussed the enterprise certificate attack vector in the past, this is the first time malware that attacks iOS devices that haven’t been jailbroken has been spotted in the wild.
It’s important to note, that while this malware was first discovered in China, it’s not geographically limited and can easily be installed on OS X and iOS devices worldwide. Furthermore, once this code is spotted in the wild, it can be altered and used by other threat actors with different targets.
As mentioned, the re-packaged apps were signed using compromised certificates.
Apple’s enterprise certificate mechanism allows every developer to distribute apps without going through the App Store, which means every iOS device is exposed to installation of apps from untrusted sources. Creating and deploying enterprise apps without the need to go through the App Store is a key component in the industry today. So it’s hard to see how Apple will change this distribution process.
What can you do?
Today, Apple does not allow you to restrict installation of enterprise certificate-signed apps. And only asks for permission upon installation. In order to identify this threat, you should install a third-party app that monitors for and sends alerts when these kind of apps are installed on a device. In addition, jailbreak detection apps should also be installed on any iOS device, including those running iOS 8 which has already been exposed to jailbreaking.
Can Lacoon protect me?
Yes, Lacoon is designed to detect and alert when apps signed using compromised certificates are installed on mobile devices. In addition, Lacoon detects if an iOS device is jailbroken so appropriate measures can be taken to protect the device and its data.