Apple comments on 'Wirelurker' malware, infected apps already blocked

There are once again some needlessly scary security articles going around, this time concerning malware dubbed "WireLurker". WireLurker hides inside pirated apps and tries to get people to install it on the Mac so it can transfer data to and from the iPhone or iPad over USB. it's important to point out almost no one reading this is in any danger from WireLurker, and anyone who is can easily avoid it. When reached for comment, Apple said:

"We are aware of malicious software available from a download site aimed at users in China," an Apple spokesperson told iMore, "and we've blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources."

According to a detailed report from security research firm Palo Alto Networks, a third-party Chinese app store appears to be serving up pirated versions of popular Mac apps that have been infected with WireLurker. Then, once WireLurker has infected the Mac, it sits waiting for an iOS device to be connected over USB.

When an iOS device is detected, WireLurker first exfiltrates device information including the serial number, phone number, UDID, and Apple ID. Next it attempts to determine if the device is jailbroken.

For non-jailbroken devices, it sounds as if all WireLurker can do is download and install enterprise-signed apps to the device. A user would then need to manually launch the installed app, then tap "Trust" when asked if they're sure they want to launch the app from an unknown developer. If an app were launched, its functionality would still be restricted by iOS's multitude of security restrictions, including application sandboxing, though could potentially abuse private APIs since enterprise signed apps bypass Apple's App Store review that normally blocks such usage. While enterprise signing can be abused to distribute malicious apps in this way, Apple has the ability to revoke enterprise certificates. Once a certificate has been revoked, apps using that certificate will fail to install on new devices. On any devices that have already installed the app, iOS will kill the app on launch when it sees that it's not valid. It won't be long before Apple revokes the enterprise certificate being used to sign these apps, if they haven't done so already.

Update: Apple has revoked the certificate.

Jailbroken devices are not so lucky. Jailbreaking requires many of iOS's security measures to be bypassed and disabled, leaving devices vulnerable to a variety of attacks. As a result, WireLurker performs additional malicious actions—notably, modifying system software, and copying user data such as Address Book and Apple IDs from any iMessages (strangely, not seeming to take interest in the content of those iMessages).

We haven't tested the malware, so we're not sure what, if any, additional user authorization or interaction may be required to infect a Mac. It's certainly not unusual for malware to try and trick people into typing in passwords or clicking/tapping on permission requests. Palo Alto Networks claims that, as malware goes, it's sophisticated and under active development, already identifying three distinct versions.

Regardless, if you don't frequent pirated app stores in China, and download pirated Mac apps, you should be safe. If you do, and you're worried about WireLurker, stop frequenting pirated app stores and downloading pirated apps, then you should be safe.

If you think you might already be infected, Palo Alto Networks has provided a detection tool for Macs on GitHub.

For iOS devices prior to iOS 8, you can check Settings > General > Profiles to look for unknown distribution profiles that may indicate WireLurker's presence (though it's perfectly normal for many users to see some profiles here). For iOS 8, you may need to use a Mac app like Xcode or iPhone Configuration Utility in order to see and remove unwanted enterprise distribution profiles.

People with affected non-jailbroken device should delete unknown profiles and any unknown or suspicious apps. If you have an affected device that is jailbroken, Palo Alto Networks recommends that you check whether the file "/Library/MobileSubstrate/DynamicLibraries/sfbase.dylib" exists, and if it does, open a terminal connection and manually delete it.

Apple has gone to great lengths, including App Store review processes, sandboxing, Gatekeeper on OS X, and privacy permissions, to keep iPhone, iPad, and Mac users safe. It typically takes direct user intervention — like the kind people are willing to do to steal apps — to circumvent those safeguards. Absent that, most people should have little to nothing to worry about when it comes to WireLurker in its current implementation.

Update: Added comment from Apple.

Rene Ritchie contributed to this article.

Nick Arnott