There is a new piece of malware targeting devices running Apple’s OS X and iOS operating systems, researchers said.
The malware, called “WireLurker,” can infect even non-jailbroken iOS devices through Trojanized and repackaged OS X applications, and is the first known malware family that can infect installed iOS applications similar to how a traditional virus would, said researchers at Palo Alto Networks.
Currently, the iOS component of WireLurker only spreads through an infected Mac OS X computer via USB and the malware appears to distribute mainly in China through a popular Apple-related software website called Maiyadi. Cybercriminals Trojanized most of the applications uploaded to the Maiyadi App Store between April 30 and June 11, the researchers said.
As of Oct. 16, the numbers show 467 malicious apps ended up downloaded 356,104 times, with almost half of the total number of downloads attributed to Trojanized versions of popular games such as The Sims 3, International Snooker 2012, Pro Evolution Soccer 2014, Bejeweled 3, Angry Birds, Spider 3, NBA 2K13, GRID, Battlefield: Bad Company 2, and Two Worlds II.
Once it finds itself on a computer, WireLurker drops malicious executables, dynamic libraries and configuration files. The downloaded pirated apps work normally to avoid raising any suspicion, the researchers said.
Some of the executable files dropped by the malware end up loaded by OS X as launch daemons. There are daemons for command and control (C&C) communications, for downloading malicious iOS applications signed with enterprise certificates, and for attacking iOS devices connected to the infected computer via USB.
When the victim connects an iPhone or an iPad via USB, the malware determines if the connected device is jailbroken. If it is, WireLurker backs up certain apps from the device to the infected computer and Trojanizes them with a malicious binary file. Other apps downloaded by the malware also end up repackaged with the malicious binary. The applications then install on the iOS device.
In case it detects a non-jailbroken device, the malware simply installs the downloaded iOS applications. WireLurker abuses iTunes protocols implemented by the libimobiledevice library to install the malicious apps onto iPhones and iPads.
On jailbroken devices, the malware is capable of injecting code into system applications, which allows it to steal contact names, phone numbers and Apple IDs, and send them back to the C&C server.
Palo Alto said the first version of WireLurker appeared in late April. Researchers spotted three versions, each of them more advanced than its predecessor.
From May 2014, through September 28, 2014, five different WireLurker files (representing three different versions) ended up submitted to VirusTotal, and none of the 55 detection engines used by VirusTotal flagged samples as malware, the security firm said.