{"id":4254,"date":"2014-11-06T14:20:50","date_gmt":"2014-11-06T19:20:50","guid":{"rendered":"http:\/\/me-en.kaspersky.com\/blog\/?p=4254"},"modified":"2017-05-19T03:13:01","modified_gmt":"2017-05-19T07:13:01","slug":"wirelurker-ios-osx-malware","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/wirelurker-ios-osx-malware\/4254\/","title":{"rendered":"WireLurker Apple Malware Targets Mac OS X Then iOS"},"content":{"rendered":"

A new family of malware emerged yesterday called WireLurker, and it\u2019s capable of infecting devices running both Apple\u2019s mobile iOS platform as well as its desktop Mac OS X operating system.\u00a0Palo Alto Networks, the security company that uncovered the threat, believes that WireLurker could usher in a new era of increased Apple malware.<\/p>\n

\"smashedapple\"<\/a><\/p>\n

For years experts have warned of a coming onslaught of malicious wares targeting Apple systems. In equally hyperbolic fashion, the Cupertino, California computer companies\u2019 more fervent fans have claimed their machines are immune to malware. The reality, as is so often the case, rests somewhere in the middle: Apple malware exists without a doubt but it is not as widespread as Windows and Android malware.<\/p>\n

\u201cWireLurker was used to trojanize 467 OS X applications in the Maiyadi App Store, a third-party Mac application store in China,\u201d Palo Alto Networks\u2019 researcher Claud Xiao said. \u201cIn the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users.\u201d<\/p>\n

Kaspersky Lab products detect and block this threat as Trojan Downloader.OSX.WireLurker.a, so you should be protected.<\/div>\n

To be clear: this threat has only infected users in one popular, Chinese application marketplace, but that doesn\u2019t mean it can\u2019t spread elsewhere.<\/p>\n

Interestingly though, WireLurker, unlike most prior iOS threats, can infect non-jailbroken devices. This reality is among the five or so reasons that Palo Alto Networks believes that WireLurker may be a watershed moment for Apple malware.<\/p>\n

The other reasons are that WireLurker is a larger-scaled operation than previous families of Apple malware; it\u2019s only the second known threat capable of attacking iOS devices via USB (as in: while they are plugged into your Mac); it can automatically generate malicious applications; and it\u2019s also the first known malware capable of infecting already-installed iOS apps.<\/p>\n

#WireLurker Apple #malware infects #OSX machines then transmits itself to #iOS devices via USB connection<\/p>Tweet<\/a><\/blockquote>\n

The way WireLurker works is that it moves to infect Mac machines by standard infection vectors. Then it waits for the user to plug their iOS device into their Mac\u2019s USB port. Once that happens, WireLurker begins installing malicious applications on the iOS device. In particular, it seeks out three popular apps \u2014 the Chinese varieties of eBay, PayPal and a popular photo editor. It then uninstalls the legitimate version of those apps and replaces them with malicious ones.<\/p>\n

\"Infected<\/a>

Infected WireLurker applications installation screen (image from Palo Alto Networks report<\/a>)<\/p><\/div>\n

Researchers said initially that WireLurker is under active development, so it will likely change and it\u2019s impossible to say what its real purpose is at this point. Shortly before publication, Palo Alto Networks told Threatpost that Apple moved fast to revoke WireLurkers\u2019 malicious certificates and that its authors have since completely shut down their malware operation.<\/p>\n

Palo Alto Networks is offering a variety of tips about how to keep WireLurker off your networks. Most of the advice is enterprise-oriented, but there\u2019s some stuff we\u2019d like to reiterate so that you can protect your personal machines:<\/p>\n

1. Run an antivirus product and keep it updated.<\/p>\n

2. Check out your OS X \u201csystem preferences\u201d then \u201csecurity and privacy\u201d and set it up so that you only allow downloads from the App Store and identified developers (see short video below).<\/p>\n