Why the danger and hysteria surrounding the WireLurker malware is overblown
The sky is falling. iOS and OS X malware is on the loose. Apple fans beware!
Such is the message a number of publications seem to convey in recently published articles detailing a new type of Apple-oriented malware emanating from China.
A hyperbolic headline from Computerworld reads, "Horrible Apple iOS virus; vectored via USB: WireLurker is 'new brand of threat'." Driving the point home, the title is accompanied by a photo of a USB cable with the word "Panic!!" emblazoned across it.
Oh lord.
A similarly misleading title from Business Insider reads in part: "Apple products are under attack by a vicious new malware..."
Of course, the further one reads about the latest malware hysteria, the more apparent it becomes that everyday iOS and OS X users have nothing to worry about.
The malware, affectionately called WireLurker, is spread via "trojanized/repackaged OS X applications" found on a third-party Mac app store in China called the Maiyadi App Store. According to researchers from Palo Alto Networks, over 467 apps on the Maiyadi App Store are infected and have, to date, been downloaded over 356,104 times.
Why is the Maiyadi App Store so popular? Well, it reportedly offers Mac apps for free, including popular titles such as Angry Birds, The Sims 3, and Battlefield: Bad Company 2.
Remember kids, third party Mac App Stores are not your friends. Do not smoke with them behind the bleachers, and most definitely do not download any apps from them. It may seem cool, and yeah, they might be free, but the long and short term health repercussions for your prized Apple products isn't worth the risk.
Now what makes WireLurker somewhat interesting is that it can hop from an infected OS X machine onto a non jailbroken iOS device via USB.
Palo Alto Networks press release reads in part:
WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken. This is the reason we call it "wire lurker".
While that may sound scary, keep in mind that the malware can't make the leap on its own. Getting malicious third party apps onto one's iOS device still requires that the user a) proactively "trust" the connected computer and b) approve the installation.
The BBC explains:
To ensure the devices accepted this certificate, a permissions request was made to pop up on the targeted iOS device on the user's first attempt to run an infected app.
It simply asked for permission to run the app, but if the user clicked "continue" it installed code called a "provisioning profile", which told the iOS device it could trust any other app that had the same enterprise certificate.
Palo Alto Networks remarked that while this technique was not a new concept, it was the only known example of it being used to target non-jailbroken iOS devices in the wild.
That being the case, avoiding WireLurker, which reportedly can intercept data and access your photos, messages and more, is pretty straightforward. Be smart. Don't ever download Mac apps from third party app stores or otherwise sketchy sites you might find on the web. You might also want to keep your iOS device away from any untrusted OS X machines
Palo Alto Networks also adds:
Do not accept requests for a new "enterprise provisioning profile" unless it comes from an authorised party, for example the employer's IT department.
Duly noted.
So while WireLurker may be interesting from a technical standpoint, the vast majority of iOS and OS X users have nothing to worry about, even more so if they stick to the confines of Apple's walled garden.
An Apple statement on the matter reads:
We are aware of malicious software available from a download site aimed at users in China, and we've blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources.
Interestingly enough, the BBC relays that some believe the Chinese government is behind the malware, a claim the Chinese authorities have already denied.
Chinese web monitoring group Greatfire.org said that hackers intercepted data and potentially gained access to passwords, messages, photos and contacts. They believed the Beijing government was behind the move.
But, the Chinese government denied the claims and was backed by state-owned internet provider China Telecom, which said the accusation was "untrue and unfounded".
While the appearance of WireLurker certainly raises some interesting points regarding security mechanisms, not to mention the increasing number of threats that specifically target Apple users, the hysteria that some publications are passing along is completely misplaced.
When it comes to WireLurker, if you stick with authorized app stores, you'll be fine.
