Malicious software campaign targets Apple users in China

At first blush, this malware, known as WireLurker, seems reasonably innocuous, since it is initially delivered solely via an app store for jailbroken iOS devices in China. It’s a little more complicated than that, which makes it potentially a lot more of an issue.

The key is how it is spread. Once you’ve downloaded a WireLurker infected app, it waits for you to connect your iOS device to your Mac. That’s where the trouble really begins. According to Palo Alto Networks, the company that discovered and named WireLurker:

Users’ iOS devices could also become infected if they connected their mobile device to their Macs through a USB wire. “WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken,” Palo Alto Networks security researchers said. “This is the reason we call it ‘wire lurker.’”

Obviously, if you don’t jailbreak your phone, and if you stay away from unverified USB chargers, you should be safe, right?

That’s where the potential trouble spot lies. The key here is staying within the trusted bubble of the iOS and Mac App Stores. Short of installing a test app, there really is no easy way to get a non-verified app onto your iOS device. But what about the Mac App Store? There are many apps that are freely downloaded from the net, not verified by Apple. What’s to prevent WireLurker from embedding itself in one of those apps and spreading to non-jailbroken iOS devices?

WireLurker points out a weakness in the Apple ecosystem. Is it preventable? Certainly, if you stay within Apple’s bubble of safety, only downloading apps via the App Store. But given that people will not abide by that limitation, is there something Apple can do to prevent this sort of attack? I don’t know the answer to this, but I would wager a large beverage that this exact question is the subject of much discussion in the hallowed halls in Cupertino.



  • Personally, my concern is primarily if I plug my iPhone into something other than my trusted computers (like someone else’s computer to charge it). If I answer ‘no’ to the iPhone when it asks “Do you trust this computer?”, then under no circumstances should anything be installable on it.

    • does it circumvent that prompt? not clear from the article.

  • Tom_P

    “WireLurker points out a weakness in the Apple ecosystem.” And what weakness is that? No system is foolproof. If you downloaded from 3rd party 3rd rate store in CHINA, prepared for the worst. Still, this malware can’t do s__t if you don’t jailbreak. Talk about meh.

    • Moeskido

      Yeah, you’re right. Let’s wait to care about this until it becomes a bigger problem that actually affects people we know. /s

      • Tom_P

        The problem, in this case, will be bigger or less depend on one’s own stupidity. If Apple is as hysterical as the writer of the original piece we, the Apple customers, would ends up like all Microsoft users who have to put up with non-user-friendly system in the name of security.

        • Moeskido

          So, “RTFM.” Got it.

          • Tom_P

            Or read the article, not the headline.

    • James Hughes

      “Still, this malware can’t do s__t if you don’t jailbreak”

      Where are you getting this information that the malware can’t do shit if you don’t jailbreak?

      From the article (which I read in it’s entirety) and re-iterated here:

      “With WireLurker, an infected application can reach a non-jailbroken phone from an infected Mac OS X system”

      While I agree that when potential issues, such as this, first reach the light of day people tend to panic a bit much more than they should. We’ll have to wait and see how much of this is actually accurate and be vigilant as usual.

      • Tom_P

        “With WireLurker, an infected application can reach a non-jailbroken phone from an infected Mac OS X system”

        Can reach but can do nothing.

        • James Hughes

          Again, where are you getting this information?

          • Tom_P

            “On non-jailbroken devices, WireLurker merely installs a fake comic book app.”

            http://www.cultofmac.com/302191/wirelurker-malware/

          • James Hughes

            Interesting, but still incomplete information. How is this fake comic book app installed? Is the user asked to install it? Is there a separate app that needs to be installed first? Some of the comments to the article hint at this but again are inconclusive.

            “On non-jailbroken device the app is injected, but not activated. Only after user have manually authorised the iOS to install necessary enterprise certifications, and then the app can be loaded. It’s one of the standard procedures of enterprise provision to let users install apps outside of iTunes store, and the malware can not bypass this. Furthermore, the injected app is still under the control of iOS, and is banned from doing anything evil, such as accessing you contacts without permission.”

            I don’t just take someones word for these things though. It’ll be interesting to see how this all plays out. Even though these things have always turned out to be more FUD than real I still err on the side of caution.

          • Tom_P

            “I don’t just take someones word for these things” I don’t either but I know iOS apps are always sandboxed. So anyone want to scare me for click-bait article will have to do a much better job.

  • Player_16

    Just be sure that in your System Preferences; Security and Privacy, that you ‘Allow apps downloaded from: Mac App Store [and] identified developers.’