Recent news is that Apple users in China have been facing an active threat that is new and attacks iPhones and iPads operating through Mac OS operating system from Apple. The news has been confirmed and released by a security firm based in the US. This malicious software has been termed as WireLurker by Networks in Palo Alto. The malware has got this name from the way it waits for the device that runs on Apple’s OS to get connected through a USB cable with a desktop or laptop that runs on Mac operating system. This malware attack as of now is limited to China and this WireLurker hides in applications that are downloaded from third party Mac OS app stores found in China. It was also in news that the founders of this Malware have been located and sent to prison, while their website has been shut off.

wirelurker detections
WireLurker detections

Responding to this News of malware attacks on iOS devices via mac, Apple states that it has blocked such identified applications and has prevented them from getting launched and it also recommends that its users install and download software and applications from trusted sources. WireLurker threat seems to be new for Apple and has not been in scene from 2003. WireLurker unlike other iOS threats is not limited to iPads and iPhones that have been jailbroken. The vulnerability to get affected with this threat has been termed as Masque and it affects various versions of iOS starting from 7.1 to 8.1 and 8.1.1 beta. Recent research has revealed that unlike stated above that the malware could infect iOS users through an USB connection; it could also exploit and affect Apple devices through emails and text messaging as well. The attacker indeed forces the victim to follow a link that leads to apps that are malicious or infected.

How to Detect and Remove WireLurker:

In order to properly understand if your iOS and Mac devices are under threat from the WireLurker Malware, you’ll need to check a few things on your device. They are..

MAC: Look for the following launch daemons on your Mac system.

  • /Library/LaunchDaemons/com.apple.globalupdate.plist
  • /Library/LaunchDaemons/com.apple.machook_damon.plist
  • /Library/LaunchDaemons/com.apple.itunesupdate.plist
  • /Library/LaunchDaemons/com.apple.watchproc.plist
  • /Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist
  • /Library/LaunchDaemons/com.apple.systemkeychain-helper.plist
  • /Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist
  • /Library/LaunchDaemons/com.apple.appstore.plughelper.plist

If you find them on your Mac, it means you are infected. Delete them.

Jailbroken Device: Connect your device using SSH and check for the following files on your device.

  • /Library/MobileSubstrate/DynamicLibraries/sfbase.dylib

If this file exists on your jailbroken device then you are infected. Delete it completely.

Non-Jailbroken Device: Check whether you have any suspicious apps or profiles you did not install on your device. If you find such Apps or Profiles, then deleted them.

What does WireLurker do?

Wirelurker_iPhone_Mac
WireLurker_iPhone_Mac

Technically speaking, the threat offers attackers the ability to replace legitimate apps of the iOS platform with those that are malicious without notification. This flaw relates to the iOS enterprise that fails to check the identity of an application against the protocol for digital certificate when the developer tries to upload apps to the App Store. iOS has not so far flagged certificates of WireLurker that are sighed with a different certificate. The malware uploads malicious applications to the phone of the user directly with the help of an infected laptop or desktop. This is one great reason why the malware is able to affect non jailbroken devices as well unlike earlier iOS malware. The malware seems to be circulating amidst criminals as well and this Masque bug remains unpatched so far. But Apple has acted fast by invalidating all certificates that have been used by this malware.

WireLurker was aimed to infect Mac and Windows machines in which it would lie inactive until the user attaches this infected machine on an iPod or iPhone. When this happens the malware would search for popular applications in the iOS device and replace them with Trojans and fake replications. It is still not clear what data this malware seeks ultimately. Main users who were affected by this malware are those who have downloaded Meitu photo app and the Taobao app for online auction. An unsuccessful Android version of this malware has also been detected doing the rounds online.

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here