Security vendor Palo Alto Networks is warning of a new hybrid form of Mac OS and iOS malware that is infecting devices in China. While the malware requires users to engage in non-recommended practices, including visiting a third-party app store, the overall attack scheme is somewhat unique in its execution.
For years, Apple and security researchers alike have warned users not to jailbreak their devices and to not go to third-party app stores. With the new WireLurker malware reported by Palo Alto, users need to download the malware from a third-party app store for their Mac OS X devices in order to infect a mobile iOS device. When the user plugs in their iOS device to the OS X computer, the iOS device is also infected. Palo Alto claims that it doesn’t matter if the iOS device is jailbroken or not.
Once connected, for non-jailbroken iOS devices, the WireLurker malware does something particularly insidious—it backs up iOS apps and then repackages them back to the IOS device with a malware Trojan in it.
At this point, Palo Alto has found 467 OS X applications that have been infected with WireLurker on the Maiyadi App Store in China. Over the last six months, total downloads for those applications are reported to be 356,104, meaning that a whole lot of users might be at risk.
As I see it, the path to infection used for WireLurker should not be common for all users. This is an attack that relies on the fact that a user has both a Mac OS X computer and a mobile iOS device. It also assumes that users will plug their devices into the Mac OS X computers, which isn’t as common as it once was, now that Apple has over-the-air updates for iOS and iCloud file sharing.
As a Mac OS X user, as is the case with the user of any operating system, downloading applications without verifying their authenticity and place of origin is a risk. It’s a risk that I recently wrote about with Tor, as well. If you download apps without making sure they’re good, and without taking steps to make sure they are not malware-free, you run the risk of infection.
That’s just good personal computing hygiene and has been for a long time.
Now, the fact that a Mac OS X machine can infect a non-jailbroken iOS device is not that troublesome when you remember that before any iOS device can connect to any machine, the iOS user needs to allow the connection. This is not some random USB infection. Of course, users are likely to trust their own machines and that’s why the WireLurker malware works.
I’d suggest that Mac users consider the use of third-party anti-malware tools to check downloads if they are reaching outside the official Apple AppStore.
It’s not all about users, though. Apple has a role to play here, too. The repackaging of iOS apps on the Mac OS X side shouldn’t happen. Apple should consider stronger warnings for users when they do backup and connect to OS X to inform them when a file has changed, which could be an indicator of risk.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.