Apple Says It’s Blocking a New Strain of Malware Infecting Macs and iPhones in China

A customer uses an iPhone at the Wangfujing flagship Apple store in Beijing.

Photo by Lintao Zhang/Getty Images

On Wednesday, Palo Alto Networks, a cybersecurity firm in Silicon Valley, published a report on a new type of malware targeting Apple products, particularly in China. Known as WireLurker, the malicious software gets downloaded and installed on Macs and then is transferred to iPhones and other iDevices via USB.

Palo Alto Networks says that the malware is in 467 applications that run on OS X and are distributed through the Maiyadi App Store, which peddles third-party apps in China. In the last six months, the affected applications have been downloaded more than 356,104 times and the report says that hundreds of thousands of users may be impacted.

Palo Alto Networks says in the report that, “Of known malware families distributed through trojanized / repackaged OS X applications, [WireLurker] is the biggest in scale we have ever seen. It is only the second known malware family that attacks iOS devices through OS X via US.” That does not sound great.

WireLurker is significant because even though it doesn’t come from apps approved by Apple it can still be transferred to iPhones. Usually only jailbroken iPhones can run third-party apps from outside Apple’s App Store.

The malware gives hackers access to pretty much all of the data on a user’s iPhone, though Palo Alto Networks notes that so far it doesn’t seem like the hackers behind the malware are using the exploit to collect data. Ryan Olson, the director of threat intelligence at Palo Alto Networks, told the New York Times, “They are still preparing for an eventual attack … Even though this is the first time this is happening, it demonstrates to a lot of attackers that this is a method that can be used to crack through the hard shell that Apple has built around its iOS devices.”

As Ars Technica points out, security forensics researcher Jonathan Zdziarski did an independent analysis of the Palo Alto Networks report and evaluated the malware himself. He found that WireLurker, while a legitimate threat, is fairly flimsy on its own. The concepts underlying it, though, could have much broader implications. “An NSA or GCHQ, or any other sophisticated attacker could easily incorporate a much more effective (and dangerous) attack like this,” he wrote.

In a statement, Apple gave a reminder to only download software from trusted sources and said, “We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching.”