Wirelurker - another wake up call for OS X and iOS users

MWR's Dave Hartley gives the lowdown on this OSX & iOS malware, with advice and practical security recommendations

Key Facts

  • There is no 0day vulnerability involved; therefore there is no patch to fix the issue.
  • Currently, the malware is targeting and propagating amongst Chinese Mac and iPhone/iPad users.
  • None of the techniques used are new.
  • The malware is currently not fully functional – i.e. it’s just harvesting data, it could be doing more.
  • Its propagation channel is an unofficial Chinese App Store (known for pirate software).
  • There is no direct vector of infection for an iPhone/iPad (iOS) device.
  • The initial ‘compromise’ must be of the desktop OS X system.
  • There is no significant risk from this malware to sensible and security aware / conscientious users.

Practical recommendations to avoid infection

  • Use Apple Gatekeeper to ensure that only applications downloaded from the official Apple App Store are allowed to execute on desktop OS X systems.
  • Don’t pair and choose to pair your iDevice with OS X and Windows systems that you do not trust.
  • Check the configuration / provisioning profiles installed on your iDevice are as expected. For most people there should be none, for devices issued by your company and/or in a BYODscenario, ensure your company has installed the profile present.


WireLurker is a piece of malware that targets Apple Mac (OS X) systems and iPhone/iPads (iDevices). The technicalities of it’s behavior and capabilities are detailed in Palo Alto Networks white paper titled "WireLurker: A New Era in iOS and OS X Malware”. It is able to propagate from infected OS X systems to jailbroken and non-jailbroken iDevices (iOS).

On the face of it, it all sounds very worrisome. However the malware is not exploiting any vulnerabilities to compromise the OS X or iOS systems. A user must download, install and/or execute the malicious software. Once it has a foothold, the malware actually abuses standard design features of OS X and iOS to propagate to a non-jailbroken iDevice. For a jailbroken device, again it takes advantage of legitimate service configured as part of the jailbreak process. When the malware installs itself on a non-jailbroken device, it is still must operate within the confines of the restrictive sandbox model. It also cannot automatically execute itself; the user of the device must again execute it. When this happens a warning is presented to the user that they must ignore.

It is possible for the malware to propagate to a non-jailbroken device because it has been signed with an Enterprise developer key. Applications will only run on a non-jailbroken iDevice if they have been licensed as part of the Apple Developer Program. An Apple sanctioned developer key has been used to sign the malware. Such keys are available to anyone who can pay Apple the $299 necessary to obtain one. The warning presented informs the user of the device that the application has not been distributed via the official Apple App Store and has been signed with an Enterprise developer key.

When an iDevice is jailbroken some of the security features of iOS are weakened and this allows the malware to silently infect the device.

Once the malware has successfully implanted itself into a system and/or device it is able to begin ciphering information pertaining to the device it has taken residency on as well as harvesting personal data available to it. The malware can be dynamically updated via its command and control channels remotely; therefore in the future it could be instructed to execute more actions and be given more nefarious capabilities.

The majority of users infected by the malware have been infected through the installation of pirated software from an unofficial Chinese App Store named “Maiyadi”. Pirated software available on the App Store has been infected with the malware. When the user downloads the pirated software and installs it, the malware piggy backing a ride can then infect the desktop OS X system and in turn ‘jump’ to any connected iDevices.

The techniques employed by the malware to achieve persistence, propagate and to harvest information are not new. They have been discussed and exploitation scenarios theorised for some time. Proof of concepts have been produced to demonstrate how these features can be abused for similar purposes by security researchers in the public domain also. MWR Labs use similar techniques when performing sanctioned cyber security assessments against OS X and iOS targets. This malware highlights what most in the industry already knew was possible and it also serves to warn of the dangers of downloading and executing software of a questionable nature from dubious sources.

The malware is currently targeting Chinese users of OS X and iOS systems, largely due to its reliance on the unofficial Chinese App Store Maiyadi as an initial point of infection. However it would be diligent for all OS X and iOS users to take sensible precautions to protect themselves from this malware and compromise via the same vectors by other threat actors and/or malicious software.

Similar to how the majority of Android malware propagates, software available in the “Maiyadi” App Store has been ‘repackaged’ by the malware author to include, as well as the original executable and related functionality, the malicious program. Once downloaded and installed, the malware is activated and the system infected.

OS X actually includes a number of security features to help protect from this kind of threat, and these have to be disabled and/or ignored for this piece of malware to achieve an initial foothold on an OS X system. Namely Apple Gatekeeper. By default, Gatekeeper ensures that only applications downloaded from the Apple App Store or applications that have been signed with an official Apple Developer ID will execute. Only software that you trust and/or can verify as being reputable should be installed and/or executed on any system, not just Apple ones.

A small script is available from Palo Alto Networks to scan your OS X system for signs of infection. It would be prudent to ensure that no suspicious profiles have been installed on your iDevice also. The WireLurker malware makes use of an enterprise provisioning profile when making the jump to a non-jailbroken iDevice. To inspect the installed profiles on your device go to Settings > General > Profiles.

The malware propagates to any connected iDevices by abusing the trust relationship established between the desktop system and the iDevice. When an unlocked iDevice is connected to iTunes on an OS X or Windows system, and a conscious choice to trust that computer is made (via clicking ‘Trust’ on the prompt on the device), a pairing record is created that maintains that trust for future connections. This is legitimately in place to allow users to manage their devices, install applications and copy music files etc. using iTunes. It is good practice to not pair your iDevice with untrusted systems.

In summary, there is no significant risk from this malware to sensible and security aware / conscientious users. It’s important to stress that no 0day vulnerability exists, no patchable security flaw is responsible – these systems and devices are being compromised through the abuse of legitimate and expected functionality (features that are actually very useful for users). Unfortunately, security is at perpetual odds with convenience. In some cases compromise is also relying on the lack of security awareness from the system and device owners.

This piece of malware should serve as another wake up call for OS X and iOS users who blindly trust the Apple eco system is ’secure’ and immune from the same cyber security threats that Linux, Windows systems and Android mobile devices face.


WireLurker: A New Era in iOS and OS X Malware
Original proof of concept
Apple Gatekeeper
Wirelurker detector script
‘Trust This Computer’ alert on iPhone, iPad, or iPod touch



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.