Ushering in a new threat landscape for iPhone users, security researchers have uncovered an active malware operation that compromised the OS X and iOS devices of hundreds of thousands of people.
WireLurker, as the new family of malware has been dubbed, first took hold of Macs when users installed pirated software that had been laced with malicious code, according to a report published Wednesday by researchers from Palo Alto Networks. The trojan then installed itself as an OS X system daemon and waited for iOS devices to connect over USB interfaces. The infected Macs would then grab the serial number, iTunes store identifier, and if available, phone number of the iOS device and send the data to a server controlled by the operators. WireLurker-infected phones were also loaded up with a variety of unwanted apps. Palo Alto Networks researchers found 467 OS X WireLurker-infected applications available on Maiyadi, a third-party app store located in China. The apps were downloaded 356,104 times, a figure indicating that hundreds of thousands of people likely were hit by the infection.
"Viable means of attack"
At first blush, WireLurker doesn't look like much of a threat. For one thing, it targeted a relatively small number of people in a limited geography who all appeared to have ties to pirated software. On top of that, once it gained persistence on a Mac or iDevice, WireLurker stole only a small amount of data and installed mostly innocuous apps. But there are reasons WireLurker could be important to iOS users everywhere. Chief among them, the infected Macs were able to compromise non-jailbroken iPhones and iPads by abusing the trusted iOS pairing relationship and enterprise provisioning, a mechanism that allows businesses to install custom-written apps on employee devices.