Congratulations, iPhone and iPad users, you too can start worrying about malicious software. A nasty piece of malware dubbed WireLurker has surfaced in China. “We believe that this malware family heralds a new era in malware across Apple’s desktop and mobile platforms,” writes enterprise security firm Palo Alto Networks, who investigated and named WireLurker.
Up to 356,000 users may have become victims after downloading infected OS X programs for their Macs from Maiyadi, which Palo Alto politely describes as “a third-party Mac application store in China”. A dodgy software site, in other words. Once those users’ computers were infected with WireLurker, it then infected, in turn, any iPhone or iPad that was plugged in via USB.
Palo Alto’s “new era” claim is true enough. This is a large-scale attack, at least by the standards of Apple’s magic garden in general and the iOS mobile operating system in particular.
“[It’s the] first known malware that can infect installed iOS applications similar to a traditional virus,” they write. It uses a number of different techniques to evade detection. And it exploits how the iPhone or iPad is “paired” with, that is, set up to trust, the specific computer it’s connected to, letting it install whatever software it wants.
“WireLurker is capable of stealing a variety of information from the mobile devices it infects and regularly requests updates from the attacker’s command and control server. This malware is under active development and its creator’s ultimate goal is not yet clear.”
The current incarnation of WireLurker isn’t a direct threat to most iDevice users — they’re unlikely to download their Mac software from Maiyadi or other non-Apple sources, and they may not have a Mac at all — but that could change quickly and easily. Other teams of bad guys will soon reverse-engineer WireLurker’s design and build upon what they learn.
Digital forensics researcher Jonathan Zdziarski has already begun such an analysis. He describes WireLurker as “in its infancy” and “mostly a collection of scripts, property lists, and binaries all duct-taped together on the desktop, making it easy to detect”.
The real problem, though, is more fundamental. The design of Apple’s mechanism for pairing an iPhone or iPad with a computer “allows for more sophisticated variants of this approach to easily be weaponised … While WireLurker appears fairly amateur, an NSA or a GCHQ, or any other sophisticated attacker could easily incorporate a much more effective (and dangerous) attack like this,” he wrote.
While iOS is generally considered to be the most secure consumer operating system out there — because Apple designed it that way from the very beginning — the public perception that it’s immune is more about magical thinking and the company’s famed reality distortion field, a myth based on ancient history.
As I wrote elsewhere in February, after the so-called “go-to fail” of iOS version 7.0.6, Apple is rather less forthcoming about security issues than other vendors.
“For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available,” says Apple’s security policy. Which means it may know full well about unpatched problems, and maybe the bad guys are already running amok, but you won’t know about them.
In February I called for a culture change at Apple. Now, in November, it would seem that the need for such change is more urgent.
Crikey is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while we review, but we’re working as fast as we can to keep the conversation rolling.
The Crikey comment section is members-only content. Please subscribe to leave a comment.
The Crikey comment section is members-only content. Please login to leave a comment.