backtop


Print

This is perhaps the most serious malware infection seen yet by the iPhone, however it's only been observed in the wild in China so far

Palo Alto Networks Inc. (PANW) revealed a shocking discovery this week, warning of a dangerous new brand of malware that is targeting Apple, Inc.'s (AAPL) OS X operating system and iOS devices (iPhone/iPad/iPod Touch).  
 
I. Advanced iOS Malware is Believed to be the First to Infect Stock iOS Devices
 
iPhone malware has not been unheard of.  Having in March blown past 500 million iPhones sold to date, Apple's estimated user base of active devices is rumored to be around 400-450 million handsets (up from 325-250 million estimated in January).  Nearly half a billion users is too juicy a target to ignore.
 
But to date hackers have largely taken the path of least resistance, targeting the population of users who "jailbreak" their devices -- a process that involves using exploits to strip away Apple's firmware restrictions.  Jailbreaking is popular, in part, because it allows users to readily pirate many apps.  It is also legal in the U.S.  However, jailbreaking often leaves devices vulnerable by granting escalated privileges to the user and/or offering open security holes.
 
JailBreak Cydia
iPhone malware to date has exclusively targeted jailbroken users. [Image Source: JailBreakMe]

As many as 7.5 percent of iPhone users (30-34 million) globally have jailbroken their devices.  In some regions such as China, this figure is somewhat higher than the global average.  The latest numbers (from Marble Security) estimated that roughly 13 percent of Chinese iPhone users run jailbroken devices.  And that's down from the end of 2012, when over 30 percent of Chinese iPhones were jailbroken.
 
Malware -- including Trojans (apps designed to look like other apps) and worms (malware that jumps from device to device) -- have become relatively common in the world of jailbroken iPhones.  But malware for phones running stock iOS has been virtually nonexistent -- until now.
 
iOS and Mac
The new malware starts by infecting your Mac, then infects your iPhones and iPads.

Palo Alto's security team discovered the brand new Mac and iOS malware.  What particularly surprised it was its ability to infect locked iOS devices.  Palo Alto security research Claud Xiao reports:

Today we published a new research paper on WireLurker, a family of malware targeting both Mac OS and iOS systems for the past six months. We believe that this malware family heralds a new era in malware attacking Apple’s desktop and mobile platforms based on the following characteristics:
 
  • Of known malware families distributed through trojanized / repackaged OS X applications, it is the biggest in scale we have ever seen
     
  • It is only the second known malware family that attacks iOS devices through OS X via USB
     
  • It is the first malware to automate generation of malicious iOS applications, through binary file replacement
     
  • It is the first known malware that can infect installed iOS applications similar to a traditional virus
     
  • It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning
...

WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken. This is the reason we call it “wire lurker”. Researchers have demonstrated similar methods to attack non-jailbroken devices before; however, this malware combines a number of techniques to successfully realize a new brand of threat to all iOS devices.


The good news is that American users are relatively safe for now.  The source of malicious Mac app is the Maiyadi App Store, a Chinese language third-party app store for OS X.  

OS X Trojans have been a relatively common occurence -- including in the U.S.  At times hundreds of thousands of Macs have been infected.  But as Palo Alto Networks states, the attack on devices running standard, secured iOS is somewhat unprecedented.
 
II. The OS X Side of the Infection
 
The site -- one a growing number of third party app stores catering to Chinese Mac owners -- claims to have 1.5 million registered users, according to Quartz.  Like most third party app stores in China it appears to carry a mix of pirated and legitimate software.
 
Palo Alto Networks states that a total 467 apps were revealed to be trojans, showing the signature of WireLurker.  Malware authors often look to recompile popular apps, putting extra malicious bits inside.  Thus a game or app from the store will likely function exactly like the real thing, but be quietly causing mischief in the background.
 
Maiyadi
Maiyadi popular Chinese third party Mac app store with over 1.2 million users hosted over 450 Trojan apps containing WireLurker.  These apps were downloaded hundreds of thousands of times.

The security researchers report that in the past half year, those trojans have been downloaded an estimated 356,104 times.  It's unknown how many Macs and iPhones are infected due to a couple factors.
 
First, there are multiple ways the trojan’s attack can fail on the Mac/OS X side.  An antivirus program may detect the app's unauthorized activity and stop it in its tracks.  And even for relatively naive users running OS X without antivirus software (a choice Apple itself recommends against), you still have to click through security warnings about third party apps, ignoring them, to allow the Trojan to infect the machine.  (Of course most users who download the app probably want it to install and will click through these warnings.)
 
III. The iPhone Gets Infected
 
The malware's end goal appears to be not necessarily to infect the user's Mac, but rather to try to make the leap to infecting the user's non-jailbroken iOS devices.  Once the malware takes root, though, there may be one final warning.  The malware proceeds to silently scan for connected iOS devices and compromise them by exploiting security flaws in Apple's enterprise provisioning firmware.  The iOS device will give the user a warning about whether to accept the provisioning, although if you've already chosen to allow provisioning (e.g. corporate iPhones) this warning may be suppressed.
 
MDM iOS
The malware exploits enterprise provisioning features in iOS, which allow automated installation of third-party cloud-hosted apps.

Once it gains access to the iOS device, it proceeds to install malicious mobile apps that can:
  • Steal your address book
  • Read iMessage text messages
  • Grab periodic malicious OTA updates from the attackers' command-and-control servers to adde new capabilities.
Claud Xiao writes that while the malware cannot escape offering the user some warnings, it is very sophisticated in its capabilities, delivery vector, and effort to cover its tracks.  He writes:

WireLurker exhibits complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing. In this whitepaper, we explain how WireLurker is delivered, the details of its malware progression, and specifics on its operation.

It's unknown how many Mac users among the 350k+ downloads fell for the steps to complete the installation process, but given that the warnings are minimal and not unusual, it seems probable that "hundreds of thousands" of Chinese Macs are infected.  The bigger question is how many iOS devices are infected.  Palo Alto Networks admits that it's not sure.  The number may be as high as in the hundreds of thousands, or it may be somewhat lower in the tens of thousands of devices.

WireLurker
WireLurker hides inside pirated versions of popular games like Angry Birds.
[Image Source: Palo Alto Networks]

One more piece of good news is that the attackers don't seem to be actively harvesting the data their malicious apps collect -- not yet at least.  But that could soon change.  The security firm's director of threat intelligence, Ryan Olson, comments to The New York Times:

They are still preparing for an eventual attack.  Even though this is the first time this is happening, it demonstrates to a lot of attackers that this is a method that can be used to crack through the hard shell that Apple has built around its iOS devices.

In addition to publishing its white paper on the malware, its scope, the flaws that appear to enable it, and the steps that can be taken to prevent it, the security firm has also notified Apple of the flaw.

WireLurker
Apple pledged to stop the WireLurker threat before it goes global. [Image Source: Palo Alto Networks]

An Apple spokesperson stated to The NYT:

We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching.  As always, we recommend that users download and install software from trusted sources.

This is definitely the worst OS X and iOS security news in some time -- perhaps ever.  Apple should have time to patch the flaws, but in the meantime U.S. users shouldn't feel overconfident as similar Trojans will likely be popping up in third party Mac stores catering to the U.S., Europe, and other regions, given the success in China.
 
IV. Get an OS X Antivirus Program
 
Apple is also dealing with a dangerous, but somewhat less imminent threat in the form of the OS X "Rootpipe" vulnerability.  Discovered this week by Swedish security researcher Emil Kvarnhammar, the exploit gives full root access to a test code, if the user dismisses a handful of security warnings. The security warnings for "Rootpipe" are slightly more glaring than those of WireLurker.  And unlike WireLurker, the exploit has not been seen in malware in the wild.



Still, that could soon change.  Apple says it will patch the security flaws that led to the Rootpipe vulnerability, but it did not given a definite timetable of when a fix might land.  In recent weeks it's had its hands full patching 144 security flaws in various versions of OS X.  Fixes included a standalone patch for the ubiquitous Shellshock exploit in Unix-like operating systems with BASH terminals, OS X Server 4.0 fixes, a whopping 83 fixes for iTunes, and a total of 45 fixes for OS X 10.10 "Yosemite".

Thus if there's one take home message, it's that hackers are targeting Mac users with increasing sophistication.  Unfortunately Apple, unlike its rival Microsoft Corp. (MSFT), does not offer OS X users comprehensive antimalware software (limited antimalware capabilities have been found in recent builds of OS X since OS X 10.6 "Snow Leopard").  
 
Thus Mac owners would be wise to purchase third party antivirus software to protect their machines.  And given the commonalities from both vulnerabilities, it's clear that Mac users should be very wary of OS X security warnings, less they approve an attempt to infect their machine.

Sources: Palo Alto Networks [blog], [white paper; subscription required], via The New York Times, Quartz





"What would I do? I'd shut it down and give the money back to the shareholders." -- Michael Dell, after being asked what to do with Apple Computer in 1997







Latest Blog Posts






botimage
Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki