Attackers have used rogue applications for both OS X and Windows to infect iPhones and iPads in China with a malware program that steals contact information and other private data.
Researchers from Palo Alto Networks recently reported that the malware, dubbed WireLurker, was being installed on both jailbroken and non-jailbroken iOS devices when those devices were connected to Mac OS X systems that were running trojanized applications.
The researchers initially found that 467 OS X applications on a Chinese third-party Mac application store called Maiyadi had been modified and repackaged to push WireLurker onto iOS devices. Since then, they have also found 180 Windows applications designed to infect iOS devices connected to Windows PCs with an older variant of WireLurker.
The WireLurker-carrying Windows programs were hosted, together with 67 similar OS X apps, under an account on a cloud storage service run by Chinese Internet company Baidu. The applications were uploaded in March and were advertised as installers for popular iOS apps such as Facebook, WhatsApp, Twitter, Instagram, Minecraft, Flappy Bird and others.
“Between March 13 and today these programs have been downloaded 65,213 times, with 97.7 percent of the downloads being the Windows version,” the Palo Alto Networks researchers said in a blog post Thursday.
Each of the Windows executable files had two IPA (iOS application archive) files bundled inside. One was the pirated version of the legitimate iOS app promised to users and the other was the WireLurker malware, the researchers said.
It seems that this older attack was not as successful as the latest one and only targeted jailbroken iOS devices. When executed, the Windows or OS X applications displayed a graphical interface that asked users to install iTunes and then connect their iOS devices to the computer. Users then had to click the install button when ready.
The Palo Alto Networks researchers ran tests with an iPhone 5s running iOS 7.1 and a 3rd-generation iPad running iOS 6—both jailbroken—and found that the installer apps crashed or reported successful installations when no apps were installed on the iOS devices.
“We believe this failure was caused by poor coding quality and incompatibility between the malware and the iOS device, but the malware code does attempt the installation,” the researchers said.
One interesting aspect of the attack is that the older WireLurker variant had binary code for three different architectures: 32-bit ARMv7, 32-bit ARMv7s and 64-bit ARM64.
“As far as we know, this is the first iOS malware that attacks the ARM64 architecture,” the Palo Alto Networks researchers said.
Regardless of how successful this older attack was, it serves as a reminder that WireLurker-style infections can originate from any computer that iOS devices connect to, not just Macs. This is something that security researchers have warned about before.
Since the original report earlier this week, Apple said that it has taken action to block the malicious apps from launching.