The news last week that malware had infected Apple phones and computers in China sent a shiver down the spine of Mac and iPhone users everywhere.
The malware, called WireLurker, targets Apple mobile and desktop devices to steal personal information. So far, the campaign has only affected users in China, but it illustrates the new steps attackers are willing to take to compromise Apple devices.
According to an article in the New York Times, WireLurker has infected more than 400 applications designed for Apple’s Mac OS X operating system. These applications are only available through a third-party application store called Maiyadi. The store, based in China, is not an Apple-authorized application developer or distributor.
Typically, only phones that are “jailbroken” – altered to run unauthorized software – can download third-party applications. But WireLurker can also affect phones that are not jailbroken when they connect to infected Mac OS X systems via USB.
This malware is not sophisticated. Rather, it is a collection of scripts that employ Apple’s enterprise provisioning mechanism to deploy software on non-jailbroken devices. This provisioning tool provides the certificate signing that is required in order to install a new application on iOS and OS X devices.
When a device is jail-broken, the malware does not need a certificate verification to gain access, which makes the breach much simpler.
In both cases, WireLurker uses the open source library libmobiledevice (http://www.libimobiledevice.org/) to communicate with the device natively, and silently.
SentinelOne customers are automatically protected from this type of attack. We did not need to make any adjustments to mitigate against the WireLurker malware. SentinelOne blocks the attack for 10.9 and 10.10 operating systems. Also, regardless of the dropper, we can detect its techniques without the need to know the transport mechanism or infection vector it uses.
The Times’ article reports that the infected applications have been downloaded more than 300,000 times. This is a significant number, so the attack should be taken seriously.
However, it is also important to understand that WireLurker does not employ any new techniques or exploits. So while traditional endpoint security vendors are scrambling to update their products to protect against WireLurker, SentinelOne’s predictive execution inspection technology detects and blocks it out-of-the-box.