WireLurker iPhone Malware Tried to Hit Windows First

As we wrote yesterday (Nov. 6), WireLurker is the first piece of working iOS malware ever found in the wild. It's got a name like a comic-book supervillain, and like a supervillain, WireLurker turns out to have been up to no good longer than we'd thought.

Apparently, WireLurker initially targeted Windows computers in a failed attempt to infect iOS devices that connected to those PCs. Later, its creators retooled WireLurker to run on Macs and successfully infect non-jailbroken iPhones. Apple has blocked a crucial part of the process WireLurker uses to spread to iOS devices, but that doesn't mean the WireLurker menace is contained just yet.

MORE: WireLurker Malware: How to Protect Your Mac or iPhone

The same day that security company Palo Alto Networks published a white paper on WireLurker, researcher Jaime Blasco of San Mateo, California-based security company AlienVault Labs told Palo Alto Networks he'd found a Windows executable file that communicated with WireLurker's command-and-control server at www.comeinbaby.com.

Palo Alto Networks confirmed in a second blog post that the Windows executable is an older version of WireLurker and also targets iOS devices connected to infected Windows computers. However, it doesn't seem to be able to infect non-jailbroken iOS devices, and the Palo Alto team couldn't get it to work properly with even jailbroken devices.

The researchers traced the Windows version of WireLurker back to a public cloud-storage service, similar to Dropbox, run by Chinese Web giant Baidu. (It's very unlikely Baidu was directly involved.) The malware was embedded in Windows- and OS X-based installers for various pirated iOS apps, including Facebook, WhatsApp, Minecraft and Flappy Bird, and several "native" iOS apps, such as iPhoto, iMovie and Garage Band.

The developers of WireLurker are still unknown, but Palo Alto Networks believes the creators have some link to the Maiyadi App Store, the Chinese software repository that hosted the successful OS X version of WireLurker.

WireLurker locked away?

Apple digitally "signs" apps from the iTunes App Store so that iOS devices know they're authorized and authentic. But iOS devices will also install apps signed with enterprise certificates, which Apple issues to large companies and organizations that want to run in-house apps on staff iPhones and iPads.

WireLurker used an enterprise certificate to sneak its infected apps onto iOS devices. Apple has now revoked that certificate, so WireLurker-Trojanized apps should no longer install on non-jailbroken iPhones. (Jailbroken devices are still at risk.) However, infected Windows or Macs that connect to the iOS devices will still be able to read the devices' identification numbers.

"WireLurker is gone," Ryan Olson of Palo Alto Networks declared to security news site Threatpost

It may not be gone forever. Jonathan Zdziarski, an independent iOS security researcher, pointed out on his blog that WireLurker's creators could simply use a different enterprise certificate. The inherent risks of enterprise iOS certificates will still exist, Zdziarski said, until Apple blocks installation of enterprise-signed apps on iOS devices that don't need them. 

"There are a number of potentially more dangerous uses for WireLurker," Zdziarski wrote. "Unfortunately, many of them will go unnoticed by Apple in time to revoke a certificate."

The command-and-control server that communicated with the infected apps has also been shut down, at least for now. Setting up another command-and-control server would be trivial, and the next iteration of WireLurker could rapidly bounce its communications channels among many servers, as Windows malware commonly does.

To protect against infection by WireLurker or similar malware, don't connect your iOS devices to untrusted computers, avoid third-party app stores, don't jailbreak your iOS device — and do install OS X antivirus software. You can also run this WireLurker detector to see if you're already infected.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr. Follow Tom's Guide at @tomsguide and on Facebook.

Create a new thread in the Antivirus / Security / Privacy forum about this subject
This thread is closed for comments
1 comment
Comment from the forums