Full Report
A new malware has been discovered that targets both Apple Mac computers and iPhones, Neowin reports. It is the first known malware that can infect iPhones that have not been jailbroken.
Analysis Summary
# Tool/Technique: WireLurker
## Overview
WireLurker is a cross-platform malware that targets both Apple macOS computers and iOS devices (iPhones/iPads), notable for being one of the first known malware strains capable of infecting non-jailbroken iPhones via USB connection.
## Technical Details
- Type: Malware family
- Platform: macOS, iOS (including non-jailbroken devices)
- Capabilities: Infection vector via third-party app stores; propagation from infected macOS to connected iOS devices via USB; ability to install/replace apps on iOS devices.
- First Seen: November 2014 (as reported in the article context).
## MITRE ATT&CK Mapping
*Note: Specific detailed mappings might require deeper analysis of the full malware behavior, but based on the description, the following categories apply:*
- TA0001 - Initial Access
- T1187 - Exploitation of Third-Party Software (Infection via the Maiyadi app store, a third-party Mac application store)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter (Implied by app installation/injection)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Implied by "collects call logs, phone book contacts and other sensitive information")
- TA0005 - Defense Evasion
- T1553 - Subvert Trust in Operating System or Application Controls (Leveraging Apple's enterprise app deployment system)
## Functionality
### Core Capabilities
- **Initial Infection (macOS):** Infects users via the third-party Mac application store named Maiyadi in China.
- **Cross-Device Propagation:** Detects when an iPhone or iPad is connected via USB to an infected macOS machine and spreads to the mobile handset.
- **iOS App Installation:** Infects non-jailbroken iPhones by exploiting Apple's enterprise app deployment system to install or replace applications (e.g., injecting a test app or replacing money transfer apps).
- **Data Collection:** Collects sensitive information, including call logs and phone book contacts.
### Advanced Features
- **Enterprise Deployment Abuse:** Utilizes Apple's enterprise deployment mechanism, which permits mass software deployment without requiring the official App Store verification process, allowing installation without user consent prompts typical of standard apps.
- **Active Development:** Researchers noted the malware was under "active development," suggesting increasing sophistication potential.
## Indicators of Compromise
- File Hashes: *Not provided in the article.*
- File Names: ESET detection for the Windows variant is **Win32/WireLurker.A**; the Mac variant is **OSX/WireLurker.A**.
- Registry Keys: *Not provided in the article.*
- Network Indicators: The Windows version contains the address of a C2 server, but the address itself is **defanged** and **not provided** in the text.
- Behavioral Indicators: Infection originating from the Maiyadi unofficial app store; attempted installation/replacement of apps on connected iOS devices via USB connection to a compromised Mac.
## Associated Threat Actors
- The article does not name a specific sophisticated threat group but notes its prevalence among devices primarily in **China** due to the infection vector (Maiyadi store).
## Detection Methods
- Signature-based detection: ESET detects the malware variants as **OSX/WireLurker.A** and **Win32/WireLurker.A**.
- Behavioral detection: Monitoring for unauthorized application installation or hook execution on non-jailbroken iOS devices connected via USB to a macOS endpoint, especially when the source is an unverified application.
- YARA rules: *Not provided in the article.*
## Mitigation Strategies
- Prevention measures: Only download and install software from **trusted sources** (i.e., the official Apple App Store).
- Hardening recommendations: Apple stated they blocked the identified malicious apps from launching. Users should ensure they are not sideloading applications from unofficial third-party stores.
## Related Tools/Techniques
- The article mentions a Windows version of WireLurker was discovered, indicating cross-platform development or evolution of the threat targeting the Apple ecosystem via a Windows intermediate host.