Apple responds to ‘Wirelurker’ threat, revokes developer certificates

BurnIconXFollowing the recent discovery of the “Rootpipe” vulnerability in OS X that allows a hacker to bypass the requirement for administrative passwords and gain full control of a Mac system, a new malware attack called “Wirelurker” (aka “MacHook”) has been revealed that affects iOS devices when paired with an infected OS X system. However, Apple has quickly responded to this threat by revoking developer identities for apps identified as being part of this malware scam.

Outlined yesterday by security researchers at Palo Alto Networks, WireLurker is a trojan horse malware distributed through Chinese-based online app stores, as well as through re-packaged pirated applications distributed on underground networks, that takes advantage of Apple’s Enterprise Provisioning services for iOS to infect iOS systems. Once run on an OS X system, the malware will monitor any iOS device connected to an infected Mac with a USB cable, and will then install malicious applications onto the device. These programs will then attempt to steal data and sensitive information.

In general, such threats have been thought to be a problem only for jailbroken devices where Apple’s inherent security features are bypassed for the sake of customizing iOS to your liking; however, by using OS X and Apple’s official certifications to talk with the iOS device, this attack can similarly bypass security without requiring a device be jailbroken.

Overall, Palo Alto Networks describes this threat as one of the largest-scale malware attacks for trojanized (repackaged applications), having been downloaded over 356,104 times in the past six months, by way of over 467 such altered programs. It is also the first in-the-wild malware to install malware on non-jailbroken iOS devices through automatic generation of malicious iOS applications using binary file replacement in existing apps. As a result, this is one of the first malware attacks that affects iOS in a similar way to a traditional virus or worm.

In quick response to this threat, Apple has taken steps overnight to help stem the impact that this attack has on iOS users, by revoking the certificates being used for the enterprise provisioning routines used by the malware. In a statement to MacNN, Apple has mentioned it is promptly addressing the problem:

“We are aware of malicious software available from a download site aimed at users in China and we’ve blocked the identified apps to prevent them from launching.”

In addition, Apple has quickly updated its XProtect malware scanning system that is built into OS X, to help detect the WireLurker installers being hidden in seemingly legitimate programs.

With these protections in place, if you attempt to open a programs that Apple has identified, OS X will issue a warning that the program you are launching contains known malware, and recommends you do not run it.

Even though these steps by Apple will help stem the spread of Wirelurker, keep in mind your best mode for securing your Mac is to use computing “street smarts” and, in this case, only install programs from legitimate sources such as Apple’s App Store or as direct downloads from the Web sites of reputable application developers.

In addition to avoiding underground software Web sites, unsolicited deals, offerings, and other suspicious lures, you can help keep your Mac and iOS devices safe by locking them down with encryption and secure passwords. See the following articles for some suggestions on how best to do this:

UPDATE: See here for more information on how to detect and remove the WireLurker malware from OS X and iOS systems.

One thought on “Apple responds to ‘Wirelurker’ threat, revokes developer certificates

  1. B. Jefferson Le Blanc

    Apple’s response may seem quick, but this exploit has apparently been running around for six months undetected. On the other hand, a user has to be frequenting some shady Web sites and downloading dubious software in order to be infected. Such users have only themselves to blame if they get hacked, by this or any other malware. The dark-net is a dangerous place. Enter at your own risk.

Comments are closed.