MWR's Dave Hartley gives the lowdown on this OSX & iOS malware, with advice and practical security recommendations
WireLurker is a piece of malware that targets Apple Mac (OS X) systems and iPhone/iPads (iDevices). The technicalities of it’s behavior and capabilities are detailed in Palo Alto Networks white paper titled "WireLurker: A New Era in iOS and OS X Malware”. It is able to propagate from infected OS X systems to jailbroken and non-jailbroken iDevices (iOS).
On the face of it, it all sounds very worrisome. However the malware is not exploiting any vulnerabilities to compromise the OS X or iOS systems. A user must download, install and/or execute the malicious software. Once it has a foothold, the malware actually abuses standard design features of OS X and iOS to propagate to a non-jailbroken iDevice. For a jailbroken device, again it takes advantage of legitimate service configured as part of the jailbreak process. When the malware installs itself on a non-jailbroken device, it is still must operate within the confines of the restrictive sandbox model. It also cannot automatically execute itself; the user of the device must again execute it. When this happens a warning is presented to the user that they must ignore.
It is possible for the malware to propagate to a non-jailbroken device because it has been signed with an Enterprise developer key. Applications will only run on a non-jailbroken iDevice if they have been licensed as part of the Apple Developer Program. An Apple sanctioned developer key has been used to sign the malware. Such keys are available to anyone who can pay Apple the $299 necessary to obtain one. The warning presented informs the user of the device that the application has not been distributed via the official Apple App Store and has been signed with an Enterprise developer key.
When an iDevice is jailbroken some of the security features of iOS are weakened and this allows the malware to silently infect the device.
Once the malware has successfully implanted itself into a system and/or device it is able to begin ciphering information pertaining to the device it has taken residency on as well as harvesting personal data available to it. The malware can be dynamically updated via its command and control channels remotely; therefore in the future it could be instructed to execute more actions and be given more nefarious capabilities.
The majority of users infected by the malware have been infected through the installation of pirated software from an unofficial Chinese App Store named “Maiyadi”. Pirated software available on the App Store has been infected with the malware. When the user downloads the pirated software and installs it, the malware piggy backing a ride can then infect the desktop OS X system and in turn ‘jump’ to any connected iDevices.
The techniques employed by the malware to achieve persistence, propagate and to harvest information are not new. They have been discussed and exploitation scenarios theorised for some time. Proof of concepts have been produced to demonstrate how these features can be abused for similar purposes by security researchers in the public domain also. MWR Labs use similar techniques when performing sanctioned cyber security assessments against OS X and iOS targets. This malware highlights what most in the industry already knew was possible and it also serves to warn of the dangers of downloading and executing software of a questionable nature from dubious sources.
The malware is currently targeting Chinese users of OS X and iOS systems, largely due to its reliance on the unofficial Chinese App Store Maiyadi as an initial point of infection. However it would be diligent for all OS X and iOS users to take sensible precautions to protect themselves from this malware and compromise via the same vectors by other threat actors and/or malicious software.
Similar to how the majority of Android malware propagates, software available in the “Maiyadi” App Store has been ‘repackaged’ by the malware author to include, as well as the original executable and related functionality, the malicious program. Once downloaded and installed, the malware is activated and the system infected.
OS X actually includes a number of security features to help protect from this kind of threat, and these have to be disabled and/or ignored for this piece of malware to achieve an initial foothold on an OS X system. Namely Apple Gatekeeper. By default, Gatekeeper ensures that only applications downloaded from the Apple App Store or applications that have been signed with an official Apple Developer ID will execute. Only software that you trust and/or can verify as being reputable should be installed and/or executed on any system, not just Apple ones.
A small script is available from Palo Alto Networks to scan your OS X system for signs of infection. It would be prudent to ensure that no suspicious profiles have been installed on your iDevice also. The WireLurker malware makes use of an enterprise provisioning profile when making the jump to a non-jailbroken iDevice. To inspect the installed profiles on your device go to Settings > General > Profiles.
The malware propagates to any connected iDevices by abusing the trust relationship established between the desktop system and the iDevice. When an unlocked iDevice is connected to iTunes on an OS X or Windows system, and a conscious choice to trust that computer is made (via clicking ‘Trust’ on the prompt on the device), a pairing record is created that maintains that trust for future connections. This is legitimately in place to allow users to manage their devices, install applications and copy music files etc. using iTunes. It is good practice to not pair your iDevice with untrusted systems.
In summary, there is no significant risk from this malware to sensible and security aware / conscientious users. It’s important to stress that no 0day vulnerability exists, no patchable security flaw is responsible – these systems and devices are being compromised through the abuse of legitimate and expected functionality (features that are actually very useful for users). Unfortunately, security is at perpetual odds with convenience. In some cases compromise is also relying on the lack of security awareness from the system and device owners.
This piece of malware should serve as another wake up call for OS X and iOS users who blindly trust the Apple eco system is ’secure’ and immune from the same cyber security threats that Linux, Windows systems and Android mobile devices face.