Skip to main content

WireLurker Malware: How to Protect Your Mac or iPhone

Photo composite by Tom's Guide

Photo composite by Tom's Guide


Mac malware is rare; iOS malware is nearly unheard of. But a newly discovered piece of malware targets is a two-for-one combo, targeting not only Macs, but iOS devices too. Called WireLurker, it spreads from infected Macs to iOS devices — even non-jailbroken iPhones and iPads — via USB sync cables, then steals information or installs malicious iOS apps.

Because malware that infects non-jailbroken iOS devices has never been seen before outside of research labs, WireLurker is heralded as a "new era in iOS and OS X malware" by security company Palo Alto Networks, which documented it in a new report. Here's how can you protect your Mac, your iPhone or iPad and yourself from a WireLurker infection.

MORE: 15 Best Mobile Privacy and Security Apps

What is WireLurker?

WireLurker was first found hiding inside 467 corrupted OS X applications on a Chinese third-party Apple software market called the Maiyadi App Store, according to a Palo Alto's report.  The applications had hundreds of thousands of downloads — a Trojanized version of The Sims 3 was downloaded 42,110 times — and all infected applications installed using Pirates of the Caribbean-themed backgrounds.

"We are aware of malicious software available from a download site aimed at users in China," Apple said today (Nov. 6) in a statement provided to The Wall Street Journal, "and we've blocked the identified apps to prevent them from launching."

However, there's nothing stopping infection of more applications in other third-party OS X software repositories.

Once on a Mac, WireLurker monitors the Mac's USB ports until it detects a connected iOS device. If the device is jailbroken, WireLurker copies all the data it can and sends the data to a command-and-control server.

Then, for both jailbroken and un-jailbroken iOS devices, WireLurker installs iOS apps onto the connected phones. For jailbroken phones, WireLurker goes a step further: It backs up the existing apps, injects malicious code into each one and then reinstalls them. The iPhone owner may not even notice those, but will notice any new apps.

This malicious iOS code collects contacts' names, phone numbers and Apple IDs, and sends them along to the command-and-control server, along with updates about WireLurker's status. That's all bad enough, but it could get worse.

"This malware is under active development and its creator's ultimate goal is not yet clear," warned Palo Alto Networks' report.

How to protect against WireLurker

The first step Mac users can take to protect themselves is to not download or run any applications that come from third-party app stores. Go to OS X's System Preferences, click "Security and Privacy," and then select "Allow apps downloaded from Mac App Store (or Mac App Store and identified developers)." This will, unfortunately, prevent the Mac from installing any software unauthorized by Apple.

Next, install a decent OS X antivirus application. Some of the best ones are free, so you have nothing to lose. Here's our list of recommended Mac antivirus packages. As for iOS antivirus software, there isn't much.

Be sure to keep all the software on all your iOS and OS X devices up-to-date. Apple is quite responsive about patching vulnerabilities.

Never connect your iPhone to an unknown or untrusted computer, whether it's a Mac or a PC, or even an untrusted charger -- chargers can actually be mini-computers.

Palo Alto Networks also recommends not jailbreaking an iOS device, because that opens it up to all sorts of attacks. If you must, then install apps only from the Cydia app store, and avoid putting sensitive personal information on that device.

If you think your Mac may be infected, you can download and run (command-line only) Palo Alto Networks' WireLurker detector from GitHub. Consider also installing the network sniffer Little Snitch on your Mac; it will reveal suspicious outgoing connections.

Fortunately, WireLurker appears to be easy to remove. All you have to do is delete the related files from the affected Macs or iOS devices.

Still, WireLurker represents a huge leap forward in terms of iOS malware. It's the first known piece of software that can automatically generate malicious iOS applications, and the first "in the wild" that can infect non-jailbroken iOS devices.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr. Follow Tom's Guide at @tomsguide and on Facebook.