The folks over at Palo Alto Networks have discovered a new breed of malware infecting iOS devices in China.  Called WireLurker because of its ability to compromise an iOS device via USB when connected to an infected Mac OSX computer, the virus has mostly been reported in China.  There are three versions in the wild, with each successive version becoming more sophisticated.  I’ve read the white paper so that you don’t have to.

WireLurker is currently being distributed through the Maiyadi App Store, a Chinese third-party Mac app store.  The Maiyadi App Store is sub-site of Maiyadi, an Apple fan site in China.  Third-party app stores—mostly non-existent in the United States—are very similar to the Apple App Store, but are operated by vendors other than Apple.  The Maiyadi App Store has built a bit of a reputation for hosting pirated versions of premium apps for Mac and iOS.

As of the time of this writing, 467 apps on the Maiyadi App Store are infected with WireLurker.  WireLurker is a Trojan, meaning that its code is hidden into seemingly harmless applications.  The unsuspecting user downloads an application and the process of running that application for the first time infects their computer. 

On a Mac, apps are essentially just bundles of files, with executable files, scripts, and libraries within them that constitute the app.  In an app that’s Trojanized with WireLurker, some of the critical files have been renamed and moved.  When this app is launched for the first time, the user only expects the app to launch, but instead, WireLurker is installing itself onto their system.  After installation, WireLurker takes a few steps to hide its tracks, moves the original app files back to their proper location, and launches the original app as normal. 

WireLurker runs as multiple background process on the infected system.  One of these processes periodically checks with a command and control (C2) server for newer versions of the virus.  If a new version is available, it will automatically download and install itself.  The virus also downloads infected iOS applications and stores them for later use.  Another background process monitors the system for USB connections, awaiting an iOS device to infect. 

When an iOS device is connected to an infected Mac by USB, WireLurker runs a few checks to learn about the device.  After this, it installs on the device the infected iOS apps it previously downloaded.  What’s remarkable about WireLurker is that it can install infected apps on devices that have not been jailbroken

For an app to run on an iOS device, it must have certain code signatures assigned to it by Apple.  Jailbroken devices do not require this, allowing the user to run apps not approved by Apple.  The primary drawback is that the app’s code has not been vetted by Apple, greatly increasing the chances of a user unwittingly installing a virus.  For this reason and many others, using a jailbroken phone is frowned upon by Apple.

To bypass the code signature issue, WireLurker uses enterprise provisioning.  Enterprise provisioning is intended for use in large IT environments where administrators need to customize certain aspects of their users’ devices.  When WireLurker installs one of its infected apps on a victim’s phone, it uses an enterprise provisioning certificate as a code signature.  The only indication a user will have that something is amiss is the presence of a mysterious new app and a prompt on first launch asking the user to accept the enterprise provisioning certificate associated with the app.

Once the app is launched, WireLurker infects the device.  This gives the virus the ability to extract data from the device through the USB connection and send it back to the C2 server.  In the most recent version, WireLurker collects information about the device including, the serial number, the phone number, the model number, the device type, the device version, the user’s apple ID, the unique device identifier (UDID), the media access control address (MAC) of the Wi-Fi card, and disk usage information. 

The whitepaper notes that WireLurker has achieved a number of firsts for Mac and iOS malware.  It is the first malware to infect iOS devices like a normal computer virus and is the first to use enterprise provisioning to install malicious apps on a non-jailbroken device.  The virus continues to evolve and other than collecting the data noted above, the main goal of the developers is not clear.  Currently WireLurker is limited to China, but the moral of the story for users elsewhere is to only download software from trusted sources and not to open any suspicious apps on your iOS devices.