Apple malware affects mostly Chinese users By Rajeshni Naidu-Ghelani & Leo Kelion

BBC News Published duration 6 November 2014

media caption The BBC's John Sudworth explains how the malware affects Apple products

Malware has bypassed Apple's safety controls by taking advantage of a process used by employers to add apps to workers' iPhones and iPads.

US-based Palo Alto Networks said WireLurker appeared to have originated in China and was mostly infecting devices there.

The malware first targets Mac computers via a third-party store before copying itself to iOS devices.

Researchers warn it steals information and can install other damaging apps.

"WireLurker is unlike anything we've ever seen in terms of Apple iOS and OS X malware," said Ryan Olson, Palo Alto Network's intelligence director.

"The techniques in use suggest that bad actors are getting more sophisticated when it comes to exploiting some of the world's best-known desktop and mobile platforms."

WireLurker has the ability to transfer from Apple's Mac computer to mobile devices through a USB cable.

image copyright Getty Images image caption The malware initially gets onto an iOS device via a USB link to an infected Mac computer

The security firm said the malware was capable of stealing "a variety of information" from mobile devices it infects and regularly requested updates from the attackers' control server.

"This malware is under active development and its creator's ultimate goal is not yet clear," the company added.

Apple has issued a brief statement.

"We are aware of malicious software available from a download site aimed at users in China, and we've blocked the identified apps to prevent them from launching," it said.

"As always, we recommend that users download and install software from trusted sources."

Work apps

According to Palo Alto Networks, WireLurker was first noticed in June when a developer at the Chinese firm Tencent realised there were suspicious files and processes happening on his Mac and iPhone.

Further inquiries revealed a total of 467 Mac programs listed on the Maiyadi App Store had been compromised to include the malware, which in turn had been downloaded 356,104 times as of 16 Oct.

Infected software included popular games including Angry Birds, The Sims 3, Pro Evolution Soccer 2014 and Battlefield: Bad Company 2.

Once the malware was on the Mac, it communicated with a command-and-control server to check if it needed to update its code, and then waited until an iPhone, iPad or iPod was connected.

When an iOS device was connected the malware would check if it was jailbroken - a process used by some to remove some of Apple's restrictions.

If it was jailbroken, WireLurker backed up the device's apps to the Mac, where it repackaged them with malware, and then installed the infected versions back on to the iOS machine.

If it was not jailbroken - which is the case for most iOS devices - WireLurker took advantage of a technique created by Apple to allow businesses to install special software on their staff's handsets and tablets.

image copyright PAlo alto networks image caption Wirelurker hides its code inside software that is initially downloaded to a Mac computer

This involved placing infected apps on the device that had been signed with a bogus "enterprise certificate" - code added to a product that is supposed to prove it comes from a trustworthy source.

To ensure the devices accepted this certificate, a permissions request was made to pop up on the targeted iOS device on the user's first attempt to run an infected app.

It simply asked for permission to run the app, but if the user clicked "continue" it installed code called a "provisioning profile", which told the iOS device it could trust any other app that had the same enterprise certificate.

Palo Alto Networks remarked that while this technique was not a new concept, it was the only known example of it being used to target non-jailbroken iOS devices in the wild.

Once active, the malware is used to upload information about the machine to the hackers, including phone numbers from its Contacts app, and the user's Apple ID.

Different versions of WireLurker also automatically installed new apps on the devices - including a video game and a comic book reader.

image copyright palo alto networks image caption The hackers fooled users into approving a bogus enterprise certificate

While these were innocuous, experts warn they could represent a test run for other more damaging software.

"People have got very used to iOS being secure and there is a danger they may be complacent about the risk this presents," said Prof Alan Woodward, from the University of Surrey.

"Now Apple knows what it's looking for, it should be able to shut it down relatively easily. But it shows that people are trying to attack Apple's operating system and the firm can't take security for granted."

Under attack

News of the attack comes after tech giant Apple's iCloud storage service in China was attacked by hackers trying to steal user information just last month.

Chinese web monitoring group Greatfire.org said that hackers intercepted data and potentially gained access to passwords, messages, photos and contacts. They believed the Beijing government was behind the move.

But the Chinese government denied the claims and was backed by state-owned internet provider China Telecom, which said the accusation was "untrue and unfounded".

China is home to the world's biggest smartphone market and Apple saw its iPhone sales there jump 50% in the April to June quarter from a year earlier.

To minimise the risk of attack, Palo Alto Networks has recommended that users:

Do not download Mac apps from third-party stores

Do not jailbreak iOS devices

Do not connect their iOS devices to untrusted computers and accessories, either to copy information or charge the machines

Do not accept requests for a new "enterprise provisioning profile" unless it comes from an authorised party, for example the employer's IT department