Staying Safe from Wirelurker: the Combined Mac/iOS Threat
The newly discovered Wirelurker malware affecting both OS X and iOS devices has been covered extensively in the media. While this is a significant incident, some of the coverage appears to have been exaggerated, and might lead users to unnecessary panic. Several points would be useful in helping calm down the worst fears of users and distilling what we need to learn from all this.
First of all, Wirelurker is currently not an active threat. Known variants have already been blocked by OS X, and the command-and-control servers are offline as well. This significantly reduces the threat that this malware poses to users. The stolen certificate that enabled this attack has also been revoked by Apple, mitigating the most novel aspect of this threat (pushing apps onto non-jailbroken devices).
Secondly, no new vulnerability was used to spread Wirelurker. It arrived on OS X machines via Trojanized (and pirated) apps; pirated apps have been a favored vector to spread malware for many years. We detect these malicious apps as OSX_WIRELURK.A.
Similarly, the features used to transfer the malware onto iOS devices used features that are part of Apple’s mobile platform. For example, enterprise provisioning is used in enterprise environments to install custom apps onto the organization’s iOS devices. The problem here was that an organization (apparently a Chinese mobile app developer) lost control of their signing certificate, which allowed malicious apps to be signed and therefore, trusted.
Thirdly, Wirelurker did succeed in installing apps on non-jailbroken devices. However, we haven’t discovered any malicious behavior on the part of these apps. The apps that contain malicious backdoor could only be installed onto jailbroken devices. In addition, iOS shows a pop up and asks for the user’s permission before installing an app via enterprise provisioning app. In non-jailbroken devices, these also run within their own sandbox, so they need permission to access contacts, location information, and other sensitive information.
We cannot rule out that this was just a test of attacks via enterprise provisioning, and that the attacker may add malicious code in the future. However, such code is not yet present in the apps delivered to non-jailbroken devices. (We detect the malicious apps installed onto jailbroken devices as IOS_WIRELURKER.A.
Wirelurker does not push malware onto affected, non-jailbrokem devices, only unwanted apps. It becomes a question of controlling unwanted (but not malicious) apps – essentially an annoyance, but not a significant risk. However, jailbroken phones will be infected by malicious apps.
Fourth, enterprise provisioning is a known attack vector against mobile devices, and has been for some time. For example, earlier this year at VB there was a demonstration of how a stealth backdoor could be installed onto an iOS device using enterprise provisioning. If Apple is not able to properly lock this aspect of iOS device management down, this could pose a problem in the long run.
What Wirelurker demonstrates is that Macs and iOS devices can become victims of online threats just as Windows and Android devices are if users engage in unsecure behavior. Software piracy has been risky practically from day 1.Pirated apps aimed at users with jailbroken devices may also become a popular infection vector. The same can be said for iOS apps as well. No computing platform is “secure” if its users behave insecurely.
We also note that while these attacks initially hit OS X users, we have also seen Windows-based malware that perform similar attacks. We detect these as TROJ_WIRELURK.A.