14 DAY TRIAL // Malicious software for both OS X and Windows has been used in China to infect iOS devices with WireLurker Trojan when connected to the desktop system via a USB connection.
Researchers at Palo Alto Networks announced on Wednesday that they found a piece of malware that can compromise an iOS device regardless if it is jailbroken or not (enterprise certificates used for signing the rogue apps).
They dubbed the threat WireLurker because it would be installed on a Mac computer and then wait for an USB connection with a targeted device.
Initially, it was reported that 467 programs in a third-party app store (Maiyadi) hosting premium pirated content included WireLurker, and they were downloaded more than 356,104 times in the last six months.
Windows variant discovered in Baidu cloud service
Immediately after publishing this information, Palo Alto Networks (PAN) researchers received news from Jaime Blasco from AlienVault Labs that a Windows version of WireLurker existed, with the same modus operandi and targeting iOS devices.
Claud Xiao and Royce Lu of PAN inform that it is an older variant of the malware that can only affect jailbroken devices. It was found embedded in 180 Windows executables and 67 OS X applications, all hosted in an account in the public cloud storage service of Baidu.
The files have been downloaded 65,213 times, and in 97.7% of the cases, the user retrieved a Windows executable; this included two iOS app installation bundles, one of them being malicious, the other being a pirated iOS app.
Infecting the iPhone or iPad is done through iTunes, when the mobile device is connected to the desktop. If iTunes is not present on the system, the victim is provided with a download link and instructed to install it. The malware is added to the iOS device together with the pirated app.
Attacks ARM64, has the same functions as the OS X version
According to the researchers, the iOS malware contains code for three CPU types: 32-bit ARMv7, 32-bit ARMv7s and 64-bit ARM64. “As far as we know, this is the first iOS malware that attacks the ARM64 architecture,” they said in a blog post on Thursday.
There aren’t any differences in terms of functionality between the OS X and the Windows versions of WireLurker. The same behavior has been observed in both cases and the same command and control server (comeinbaby.com) has been used.
The mystery around the purpose of the malware remains, since the end-game could not be determined based on the amount of information it extracts (product serial and model numbers, phone number, Apple ID, Wi-Fi address, disk usage, and the unique device identifier – UDID).
A Windows variant of WireLurker shows that the operating system is not an obstacle for cybercriminals to spread their malware. Any platform can be used to spread rogue apps to a targeted device.
