WireLurker Apple Malware Targets Mac OS X Then iOS

Apple malware targets iOS by infecting OS X machines and then swapping legitimate apps for malicious ones as soon as an iOS device connects via USB.

A new family of malware emerged yesterday called WireLurker, and it’s capable of infecting devices running both Apple’s mobile iOS platform as well as its desktop Mac OS X operating system. Palo Alto Networks, the security company that uncovered the threat, believes that WireLurker could usher in a new era of increased Apple malware.


For years experts have warned of a coming onslaught of malicious wares targeting Apple systems. In equally hyperbolic fashion, the Cupertino, California computer companies’ more fervent fans have claimed their machines are immune to malware. The reality, as is so often the case, rests somewhere in the middle: Apple malware exists without a doubt but it is not as widespread as Windows and Android malware.

“WireLurker was used to trojanize 467 OS X applications in the Maiyadi App Store, a third-party Mac application store in China,” Palo Alto Networks’ researcher Claud Xiao said. “In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users.”

Kaspersky Lab products detect and block this threat as Trojan Downloader.OSX.WireLurker.a, so you should be protected.

To be clear: this threat has only infected users in one popular, Chinese application marketplace, but that doesn’t mean it can’t spread elsewhere.

Interestingly though, WireLurker, unlike most prior iOS threats, can infect non-jailbroken devices. This reality is among the five or so reasons that Palo Alto Networks believes that WireLurker may be a watershed moment for Apple malware.

The other reasons are that WireLurker is a larger-scaled operation than previous families of Apple malware; it’s only the second known threat capable of attacking iOS devices via USB (as in: while they are plugged into your Mac); it can automatically generate malicious applications; and it’s also the first known malware capable of infecting already-installed iOS apps.

The way WireLurker works is that it moves to infect Mac machines by standard infection vectors. Then it waits for the user to plug their iOS device into their Mac’s USB port. Once that happens, WireLurker begins installing malicious applications on the iOS device. In particular, it seeks out three popular apps — the Chinese varieties of eBay, PayPal and a popular photo editor. It then uninstalls the legitimate version of those apps and replaces them with malicious ones.

Infected WireLurker applications installation screen (image from Palo Alto Networks report)

Infected WireLurker applications installation screen (image from Palo Alto Networks report)

Researchers said initially that WireLurker is under active development, so it will likely change and it’s impossible to say what its real purpose is at this point. Shortly before publication, Palo Alto Networks told Threatpost that Apple moved fast to revoke WireLurkers’ malicious certificates and that its authors have since completely shut down their malware operation.

Palo Alto Networks is offering a variety of tips about how to keep WireLurker off your networks. Most of the advice is enterprise-oriented, but there’s some stuff we’d like to reiterate so that you can protect your personal machines:

1. Run an antivirus product and keep it updated.

2. Check out your OS X “system preferences” then “security and privacy” and set it up so that you only allow downloads from the App Store and identified developers (see short video below).

3. On that note: don’t download apps from third party marketplaces.

4. Keep iOS and OS X updated.

5. Be careful about charging your iOS device by plugging it into computers other than your own.

Our friends here at Kaspersky Lab are investigating WireLurker as we speak and will have their own analysis of it on Securelist later today. That said, Kaspersky Lab products detect and block this threat as Trojan-Downloader.OSX.WireLurker.a, so you should be protected.

Update: Our experts said that first signs of existence of the Wirelurker malware were found by our researchers as early as July 2014 and further investigation revealed that there were discussions of the malware on some Asian forums in the end of May 2014. There is also a Windows version of the malware, which aimed at infection of iPhones connected to Win PC’s. The earliest found version of this malware has been compiled in March 2014. Kaspersky Security Network has already registered detections of the malware, not much (less than 20 attempts so far), most of them were detected in China. You can read full story on Securelist.com