WireLurker: A ‘new breed’ of Apple malware out of China

November 6, 2014, 12:08 PM UTC

Compared with Android phones or Windows PCs, Apple’s products are relatively impervious to malware, which is what makes WireLurker so interesting.

According to Palo Alto Networks, a California company that sells firewalls to businesses, a new family of malware has been quietly infiltrating OS X and iOS devices for the past six months, gathering information and preparing for some kind of unspecified attack.

The researchers who discovered the plot called it WireLurker because it can infect even pristine, non-jailbroken iPhones and iPads through computer cables.

There are no reports of WireLurker infecting Apple devices outside China, and Apple says it has taken steps to prevent that from happening.

“We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching,” an spokesperson told Fortune. “As always, we recommend that users download and install software from trusted sources.”

The fact that someone found a way to do it has to be troubling news for Apple, which markets itself as the company that protects its users’ privacy and keeps them safe.

Getting through Apple’s defense systems wasn’t easy, and it required the breeding ground of hundreds of millions of jailbroken Chinese iOS devices to get started.

Researchers at Palo Alto Network’s (PANW) Unit 42 traced WireLurker to a third-party Mac application store in China called Maiyadi App Store. There it “trojanized” 467 OS X applications, according to a white paper published Wednesday, and those apps were downloaded more than 356,104 times. In all, hundreds of thousands of users may have been affected.

Screen Shot 2014-11-06 at 5.01.23 AMTo download the infected apps, users would have had to change the security settings on their Macs and ignore several pop-up warnings.

But once installed, the apps could make the leap to devices that followed all the rules.

From Palo Alto Network’s press release:

WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken. This is the reason we call it ‘wire lurker’…

“WireLurker is capable of stealing a variety of information from the mobile devices it infects and regularly requests updates from the attackers command and control server. This malware is under active development and its creator’s ultimate goal is not yet clear.”

Security experts have long debated why it is that Apple’s computers were spared the waves of malware that have infected competing systems over the years. Was it because Apple’s systems were inherently more secure? Or because there weren’t enough Macs out there to make an interesting target?

[fortune-brightcove videoid=3866794923001]
In the post-PC era, with Apple selling hundreds of millions of devices per year, the “security by obscurity” theory may get put to the test.

Meanwhile, Palo Alto Networks offers some advice:

  • In the OS X System Preferences panel under “Security & Privacy,” ensure “Allow apps downloaded from Mac App Store (or Mac App Store and identified developers)” is set
  • Do not download and run Mac applications or games from any third-party app store, download site or other untrusted source
  • Keep the iOS version on your device up-to-date
  • Do not accept any unknown enterprise provisioning profile unless an authorized, trusted party (e.g. your IT corporate help desk) explicitly instructs you to do so
  • Do not pair your iOS device with untrusted or unknown computers or devices
  • Avoid powering your iOS device through chargers from untrusted or unknown sources
  • Similarly, avoid connecting iOS devices with untrusted or unknown accessories or computers (Mac or PC)
  • Do not jailbreak your iOS device; If you do jailbreak it, only use credible Cydia community sources and avoid the use or storage of sensitive personal information on that device


Link: WireLurker: A New Era in iOS and OS X Malware

Follow Philip Elmer-DeWitt on Twitter at @philiped. Read his Apple (AAPL) coverage at fortune.com/ped or subscribe via his RSS feed.