Apple might have blocked WireLurker on all of it’s known exploited apps but that might not mean things are completly sorted just yet..
Apple has revoked a previously legit cryptographic certificate the malware was using to sign itself: this certificate tricked iOS devices into trusting and installing WireLurker’s malicious apps.
The Cupertino giant has marked that certificate as untrustworthy, prompting devices to reject any code hanging off it.
“We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching,”
also commenting to say;
“As always, we recommend that users download and install software from trusted sources.
That should be that, but it’s not quite the end of the story for WireLurker.
WireLurker can still read data from an iPhone or iPad without the certificate, and that “additional certificates could be substituted and new copies of the software inserted.”
iOS security expert Jonathan Zdziarski warns
“It would greatly behoove Apple to address this situation with more than a certificate revocation; I’m not scared of WireLurker, but I am concerned that this technique could be weaponized in the future, and be a viable means of attack on public and private sector machines,”
he wrote on his personal blog.
“It could easily be attached to any software download in-transit across non-encrypted HTTP, such as an Adobe Flash download or other software download.
Interesting that he uses Adobe Flash as a way to maliciously load software out of all the examples out there.
It was Palo Alto Network that alerted the world about the WireLurker infection has gone on to said the central servers controlling the infected devices are offline, for now.
Lets look at how this spread; thousands and thousands of people in China were lured into downloading and installing OS X applications from an unofficial app store that contained the WireLurker nasty.
When that compromised software is run, the desktops and laptops become carriers: the WireLurker code lies in wait for an iOS device to be paired with the OS X computer via USB.
Once a connection is established, the malware uses an enterprise security certificate to silently install malicious apps on the iOS device.
This allowed the malware to spread itself even to non-jailbroken iPhones and iPads.
Researchers believe the malware was able to pass victims’ Apple ID credentials and contact information back to the command and control server.
Once again TouchID information seems to be untouched no matter what hackers try to do