Bad Apples? Malware Bites Mac and iOS


Apple devices are immune to malware. That’s the prevailing wisdom, and oft-repeated by those who own iPhones, iPads or Mac laptops as a way to offset restrictive application policies enforced by the tech giant. These Apple lovers do have a point, however, since the company’s Gatekeeper for Mac and “Trust” permissions for iOS allow devices to identify apps developed without a valid Apple Developer ID, and the vast majority (98 percent) of mobile malware targets Android-based devices.

But this doesn’t mean iPhones and Macbooks are entirely safe. In fact, a new malware family is now targeting Apple products specifically and could potentially cause some serious damage. Here’s the bottom line.

Watch Out for Lurkers

As noted in a recent Kaspersky Security Update, the newly discovered WireLurker malware is able to infect both iOS and Mac OS devices. The malware was first observed in a Chinese third-party application store called Maiyadi, says security firm Palo Alto Networks, and infected 467 OS X apps. According to Claud Xiao of Palo Alto, “in the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users.”

So how does it work? WireLurker starts by creating trojanized applications for sale in third-party app stores. When downloaded by jailbroken iPhones or Macs with Gatekeeper turned off, WireLurker looks for specific apps, creates copies, patches them with malicious code and then copies the infected app back to the device. If you’re running a non-jailbroken phone, the best WireLurker can do is use a legitimate Enterprise Developer ID to install non-malicious app, which Palo Alto says was a “test case.” Sound scary? It should, but if you’re not running jailbroken phone or downloading apps from third-party stores and then overriding Apple’s Trust permissions, you’re probably safe.


Jekyll and Hide

Of course, it’s worth mentioning that in 2013, researchers from Georgia Tech found a way to get malicious payloads onto Apple devices by using a string of benign-seeming code. According to eWeek, these “Jekyll apps” could easily make it past Apple’s vetting process but later be “turned evil” and behave much like malware. The team also discovered a way to install malicious apps using a real developer ID and a fake USB charger; admittedly more difficult and low-tech, but still worrisome.

The biggest problem here? That despite iOS and Mac security measures, it’s still possible to design code that slips through cracks and then causes real problems. While widespread attacks aren’t likely using either of these methods, Jekyll apps and similar exploits could pose a problem for high-profile targets such as government officials or Internet activists.

Nice Masque

Beyond morphing apps and third-party dangers, there’s another issue: The Masque Attack. Identified by security firm FireEye and short for “masquerading”, Masque attacks are more sophisticated form of WireLurker that rely on Apple’s enterprise and ad-hoc provisioning system. It goes like this: Apple is fine with developers and enterprises distributing apps outside the App Store ecosystems using what’s known as a “provisioning profile”. This profile allows users to download applications directly from a link without using any kind of app store interface. While this method isn’t widespread, it’s a great way for enterprises and startups to develop or test their own applications in-house.

But there’s a loophole. It’s possible for infected applications masquerade as and then overwrite legitimate apps on user devices, so long as the “bundle identifiers” are the same. Apple doesn’t require matching certificates for similarly-bundled apps, instead allowing them to be overwritten at will. This means an industrious attacker could potentially gain access to a corporate network and then push “new” versions of installed apps to all employee phones — with the right developer ID, users could be fooled into updating their applications and expose themselves to malware. Worst case? A masquerading app that grabs data stored in a legitimate app, installs an infected version and sends a stream of data to an unknown server.

Expiry Date?

WireLurker and Masque attacks have put the fear in some Apple users, but this fruit isn’t bad yet — your risk is minimal unless you like jailbreaking phones or surfing Chinese app stores. Still, it’s a sobering reminder that malware creators never rest, and that even Apple’s walled garden isn’t impenetrable. Do yourself a favor: surf smart with a secure VPN — no sense letting lurkers know what apps you’re into — and just like email attachments, don’t trust apps you don’t know. Apples from strangers are never a healthy choice.