New 'WireLurker' malware targets Chinese Apple users, hops from OS X to iOS via USB
Coming less than one week following the discovery of an OS X vulnerability called "Rootpipe," computer security researchers have found a new form of malware dubbed "WireLurker," which infects well-protected iOS devices through OS X.
Security experts at Palo Alto Networks outlined WireLurker in a research paper published on Wednesday, saying of the malware, "It is the biggest in scale we have ever seen," reports The New York Times.
WireLurker has been active in China for the past six months, first infecting Macs by inserting trojan software through repackaged OS X apps, then moving on to iOS devices via USB. The firm claims the malware is the first to automate generation of malicious iOS apps by implementing a binary file replacement attack.
"They are still preparing for an eventual attack," said Ryan Olson, Palo Alto Networks' director of threat intelligence. "Even though this is the first time this is happening, it demonstrates to a lot of attackers that this is a method that can be used to crack through the hard shell that Apple has built around its iOS devices."
Unlike other viruses, which usually target jailbroken iOS devices, WireLurker can jump from a Mac onto an iPhone running a vanilla version of Apple's operating system by leveraging Apple's enterprise provisioning assets.
As described the Palo Alto Networks, WireLurker monitors a Mac for new iOS devices through infected programs, then installs over USB malicious applications either download from a remote server or generated autonomously on-device. Once installed, the malware can access sensitive data like user contacts, read iMessages and ping a remote server for command-and-control operations, among other nefarious functions.
So far, 467 OS X apps have been infected and distributed through China's third-party Maiyadi App Store, with downloads totaling over 356,104 possibly impacting "hundreds of thousands of users." It is unclear what information the malware's creator is after, but the code is being continuously updated and is therefore deemed active.