Researchers from Palo Alto Networks uncovered the largest malware attack against iOS devices, and the first attack of its kind to affect non-jailbroken devices on such a large scale. According to the report, there have been 467 infected Mac OS X applications that have been downloaded 356,104 times from the Chinese app store, Maiyadi, since March of this year. This malware is called WireLurker and is described as a “new era in OSX and iOS malware” by the researchers who discovered it.
The way this malware works is by infecting users’ Macs when they download an infected app from the Maiyadi app store and then connect their iPad or iPhone to the Mac through a USB cable.
After the two are connected, the Trojan installs infected iOS apps on the mobile devices through Apple’s “Enterprise Provisioning Profile” feature, which is normally used by businesses to install apps on their employees’ devices.
In this case, however, the feature was used to allow the malware to bypass the iPhone or iPad’s security. The user would still have to agree to use the app, but once he or she would click on “continue,” the infected app would be installed.
“WireLurker is unlike anything we’ve ever seen in terms of Apple iOS and OS X malware,” said Ryan Olson, Palo Alto Network’s intelligence director.
“The techniques in use suggest that bad actors are getting more sophisticated when it comes to exploiting some of the world’s best-known desktop and mobile platforms.”
The researchers said that the malware was able to steal “a variety of information” from the mobile devices, including phone numbers from the Contact app and the user’s Apple ID. The malware would also repeatedly make requests to the attacker’s command-and-control server.
Apple has already issued a statement about this attack:
“We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching,” it said.
“As always, we recommend that users download and install software from trusted sources.”
The bad news is that it seems Apple only blocked the infected apps, but at best that’s a short term solution. Apple will need to send an update to iOS that further restricts the use of Enterprise Provisioning Profile in consumer iPhones and iPads so that the devices won’t be able to install such infected apps anymore.
Because Apple doesn’t have such a solution out yet, it’s unclear whether this could fix the malware problem for the jailbroken devices, too. iOS devices that are jailbroken are usually much more vulnerable to infection because the user has administrator privileges, which means the attackers do, too.
To minimize the effect of this malware, the researchers who uncovered it recommended that the users:
- Do not download Mac apps from third-party stores
- Do not jailbreak iOS devices
- Do not connect their iOS devices to untrusted computers and accessories, either to copy information or charge the machines
- Do not accept requests for a new “enterprise provisioning profile” unless it comes from an authorized party, for example the employer’s IT department
The past few months have not been good to Apple from a security point of view. From the hacking of celebrity iCloud accounts, to having Chinese users’ traffic intercepted by the Chinese government, to this rather widespread malware infection of non-jailbroken iOS devices, it’s becoming clear that increasingly more attackers are attempting to infect or hack Apple devices.
Despite all of the security checks Apple has implemented in its hardware and software, it was only a matter of time before malicious hackers would turn their attention to iOS and Macs, given the rising popularity of these devices, globally. Apple may be able to fix these issues as quickly as they appear, but they can’t put the cat back in the bag. More hackers have their eyes on Apple’s devices now, and there’s little doubt that there will be more such attacks in the future.
Source: Toms Hardware