Situation overview:
Yesterday, security firm Palo Alto Networks, reported on a new family of malware that affects Apple’s OS X and iOS devices called WireLurker. WireLurker has been used to inject malicious code into Mac applications hosted on a third party Mac app store in China. Once these trojanized apps are downloaded onto a Mac, WireLurker waits for an iOS device to connect via USB and then installs and runs similarly infected iOS apps on the connected iOS device. In many cases users might not see any difference since the iOS app will operate just like the legitimate version. However, upon infection, malicious code will update itself, install additional infected applications and send user and device information to a remote server. This information includes personal information such as the user’s phone number and Apple ID, as well as, device information such as serial number, model number and disk usage. This malware affects both jailbroken and non-jailbroken iOS devices.
Am I at risk?
WireLurker is currently known to only affect applications hosted on a 3rd party Mac app store in China. In addition, WireLurker only infects iOS devices through a USB connection to an infected Mac.
If you haven’t recently downloaded Mac Apps from a 3rd party App Store in China, or connected your iOS device to an at-risk Mac via a USB cable, then you are most likely not at risk.
How do I protect myself in the future?
The writers of WireLurker have already proven that they are capable of writing increasingly sophisticated (and dangerous) versions of this malware. While their goals are not completely clear at this point, it is important to ensure that you are not infected by similar threats in the future.
On your Mac:
- Do not install Mac applications from unknown or untrusted sources; including third party app stores or download sites.
- Ensure that the System Preferences on your Mac are set to ‘Allow apps downloaded from: Mac App Store and identified developers’.
- Use security software for your Mac and keep this software up-to-date. The Norton products listed below provide full protection against OSX.WireLurker attacks. As long as your computer is connected to the internet, LiveUpdate will automatically download and install the latest virus updates every hour or two.
- Norton Antivirus for Mac
- Norton Internet Security for Mac
- Norton Antivirus for Windows
- Norton Internet Security
- Norton 360
- Norton 360 Multi-device
- Norton One
- Norton Security
On your iOS device:
- Keep your iOS software up-to-date
- Do not connect your device to unknown computers or charging devices (Macs or PCs).
- Do not accept suspicious requests to install enterprise provisioning profiles on your iOS device.
What Else Do I Need To Know?
While you may not be a target for the current version of WireLurker, there are lessons to be learned from this new family of Malware. WireLurker demonstrates that our world is a connected one and it is not enough to think about device security solely from the perspective of a single device or platform.
As we increase the numbers and types of devices we use on a daily basis, attackers will continue to search for gaps in security wherever they can find them and then use the trusted relationship between our devices to gain access to our network of personal information and data. This is why Norton Security contains coverage for multiple devices and operating systems. In addition to the best practices described above, if you are a Symantec customer with Norton Security and running multiple devices and operating systems, we recommend that you install your protection on each device that you use.
Updated: WireLurker & Masque Attack on iOS.
Mobile security researcher FireEye, is now describing an attack similar to WireLurker that may be of even greater concern. This attack, named Masque Attack, can replace legitimate apps on an iOS device with a compromised app that can collect confidential user information as well as obtain login credentials. Rather than require the user to be connected to a Mac via a USB cable as WireLuker did, this attack can install compromised applications over the internet from a link in an instant message, email or web page.
Am I at risk?
The key thing to remember with these attacks is that they require you to install an application from a web page or other untrusted source. While any user could potentially be targeted by this type of attack, only those that ignore the warning prompts and proceed to install applications through untrusted 3rd party sources are at risk. In addition, FireEye is reporting that users compromised by an infected Masque Attack app may receive a warning stating, “Untrusted App Developer” when first opening the app. If this happens, select “Don’t trust” and uninstall the app immediately.
What can I do to protect myself?
- Keep your iOS software up-to-date
- Do not connect your device to unknown computers or charging devices (Macs or PCs).
- Do not accept suspicious requests to install enterprise provisioning profiles on your iOS device.
- Use the Apple app store to install software on your iOS device. Do not accept requests to install software from an untrusted or unknown web page, even if the app being installed appears to be genuine.