There are once again some needlessly scary security articles going around, this time concerning \ »WireLurker\ ». WireLurker is a form of malware that tries to get people to install it on the Mac so it can access data from the IPHONE or IPAD over USB. it’s important to point out almost no one reading this is in any immediate danger from WireLurker, and anyone who is can easily avoid it. That being said, what is WireLurker and what’s going on here? Maiyadi, a third-party Chinese app store offering pirated Mac software, appears to be serving up trojanized versions of popular Mac apps, according to a detailed report from security researchers at Palo Alto Networks. Users download the software expecting to get a free version of an app they’d otherwise have to pay for, but instead are given a modified version of the software that includes WireLurker malware. According to Palo Alto Networks, once WireLurker has infected a user’s machine, it sits waiting for an iOS device to be connected over USB. Once an iOS device is detected, WireLurker first exfiltrates device information including the serial number, phone number, UDID, and Apple ID. Next it attempts to determine if the device is JAILbroken. For non-JAILbroken devices, it sounds as if all WireLurker can do is download and install enterprise-signed apps to the device. A user would then need to manually launch the installed app, then tap \ »Trust\ » when asked if they’re sure they want to launch the app from an unknown developer. If an app were launched, its functionality would still be restricted by iOS’s multitude of security restrictions, including application sandboxing, though could potentially abuse private APIs since enterprise signed apps bypass Apple’s App Store review that normally blocks such usage. While enterprise signing can be abused to distribute malicious apps in this way, Apple has the ability to revoke enterprise certificates. Once a certificate has been revoked, apps using that certificate will fail to install on new devices. On any devices that have already installed the app, iOS will kill the app on launch when it sees that it’s not valid. It won’t be long before Apple revokes the enterprise certificate being used to sign these apps, if they haven’t done so already. JAILbroken devices are not so lucky. JAILbreaking requires many of iOS’s security measures to be bypassed and disabled, leaving devices vulnerable to a variety of attacks. As a result, WireLurker performs additional malicious actions—notably, modifying system software, and copying user data such as Address Book and Apple IDs from any iMessages (strangely, not seeming to take interest in the content of those iMessages). I haven’t tested the malware, so I’m not sure what sort of popups or other forms of authorization WireLurker needs in order to install, connect, and transfer data, but it’s not unusual for malware to try and trick people into typing in passwords or clicking/tapping on permission requests. Palo Alto Networks claims that, as malware goes, it’s sophisticated and under active development, already identifying three distinct versions of the malware. Regardless, if you don’t frequent pirate app stores in China, and download pirated Mac apps, it seems you should be safe. If you do, and you’re worried about WireLurker, stop frequenting pirated app stores and downloading pirated apps. If you think you might already be infected, Palo Alto Networks has provided a detection tool for Macs on GitHub. For iOS devices prior to iOS 8, you can check Settings > General > Profiles to look for unknown distribution profiles that may indicate WireLurker’s presence (though it’s perfectly normal for many users to see some profiles here). For iOS 8, you may need to use a Mac app like Xcode or IPHONE Configuration Utility in order to see and remove unwanted enterprise distribution profiles. People with affected non-JAILbroken device should delete unknown profiles and any unknown or suspicious apps. If you have an affected device that is JAILbroken, Palo Alto Networks recommends that you check whether the file \ »/Library/MobileSubstrate/DynamicLibraries/sfbase.dylib\ » exists, and if it does, open a terminal connection and manually delete it. Apple has gone to great lengths, including App Store review processes, sandboxing, Gatekeeper on OS X, and privacy permissions, to keep IPHONE, IPAD, and Mac users safe. It typically takes direct user intervention — like the kind people are willing to do to steal apps — to circumvent those safeguards. Absent that, most people should have little to nothing to worry about when it comes to WireLurker. Rene Ritchie contributed to this article.

Source: The IPhone Blog

Comments are closed.