Cyber-Attackers Creating More Sophisticated Apple OS Malware

From the Mask to Coinstealer to WireLurker, cyber-attackers continue to develop more sophisticated Mac OS X malware.

Apple MalwareB

While malware has never been highly prevalent on Apple's Mac OS X and iOS, attackers continue to show their persistence in developing advanced techniques to compromise the operating systems.

For the latest malware, dubbed WireLurker, the attackers used trojanized applications delivered through a third-party app store that infect users' systems and then attempt to infect iOS phones that are connected to the system. Other attacks have used a similar approach to get around Apple's software ecosystem: Coinstealer, a Bitcoin stealing app, masquerades as a cracked version of Angry Birds.

While malware developers are not nearly as likely to target Mac OS X, compared with Windows—or Apple's iOS compared with Android—Apple users should expect to see more malware targeting their devices, Ryan Olson, intelligence director for Palo Alto Networks, told eWEEK.

"We will continue to see new malware for both Mac OS X and iOS, and they will incrementally get better and better," he said, adding: "I would be most worried about high-value targets," such as dissidents and government officials.

Apple's software ecosystem has made the company's two operating systems, Mac OS X and iOS, difficult targets for most attackers. With OS X Mountain Lion, Apple introduced Gatekeeper, a technology to limit what applications can run on a Mac. At the most stringent level, which Apple made the default setting, code can only run if created and signed by a known developer. Apple's iOS requires signed code, unless jailbroken.

While vetted app stores and application signatures make it more difficult for attackers to run malicious code on Mac OS X, it is not impossible. In 2013, researchers at Georgia Tech developed a way to create seemingly benign code that would get past Apple's vetting process, but could later be turned evil.

Labeling such programs as "Jekyll apps," the researchers demonstrated one way to run malicious apps on iOS. Another paper by the same group demonstrated a second way, using a developer code-signing signature, to install apps on a phone using a fake USB charger.

The recent WireLurker attack uses a variant of these attacks to get code onto an iOS device.

On jailbroken iPhones, common in many countries, WireLurker looks for specific applications, copies them, patches them with malicious code and then copies them back to the phone, thus, infecting the device. On non-jailbroken phones, the program uses an enterprise developer ID to install a non-malicious application, which Palo Alto's Olson posits was likely a test case.

"It was just a test model," Olson said. "It was just a way to test installing an application on a non-jailbroken phone."

For the most part, while targeted attacks are still a worry, Mac OS X and iOS users should be quite safe from attacks, unless they use a jailbroken phone or download applications from a third-party app store. A deluge of Apple malware is not in the future, he said.

"The position that Apple is in with Mac OS X and iOS is much more defensible than Windows historically has been," Olson said. "Because they were able to make the choice to have a walled garden, it is an easier-to-defend platform."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...