Lurking in the shadows within the unsuspecting user’s operating system, a new breed of malicious software has made a rude announcement that it can inhabit not only users’ computers, but also their mobile devices. And in today’s interconnected world, we know all too well how far leaked information can spread. From routing numbers tied into banking apps to wearables that track breathing patterns, users trust their mobile devices to host sensitive personal information, often without ever asking: Is the convenience worth the cost? Wirelurker, a recently discovered family of malware targeting iOS and Mac OS systems, calls attention to the importance of end-user security awareness, particularly in an enterprise setting.
First publicized by VMware partner Palo Alto Networks (PAN), WireLurker “heralds a new era in malware attacking Apple’s desktop and mobile platforms,” according to a company blog post. Though the sites responsible for the malware were quickly shut down and suspects were arrested, this large-scale attack illustrates the need for consistent vigilance over a mobile deployment.
The first signs of WireLurker were detected in June, and since then an estimated hundreds of thousands users have been effected, PAN reports. The malware originated from trojanized applications downloaded onto a Mac OS X machine from a third-party Chinese app store. Once downloaded, the malware lurked as a profile within the OS until a user plugged in an iOS device, facilitating a transfer via a USB wire. The malicious apps were suspected to collect personal data from the user’s mobile device; however, the intent remains unclear.
In a blog post and white paper published November 5, Palo Alto Networks researchers point out that WireLurker has several unique characteristics that have not been previously seen in malware. It is the first malware to be pushed to an iOS mobile device via enterprise provisioning and the first to infiltrate a non-jailbroken device.
Previous malware attacks on iOS devices have been able to reach jailbroken devices, but WireLurker “installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken,” the researchers wrote. In a November 6 email to Reuters, Apple said it had revoked the certificate that allowed installation on iOS devices. On November 17, authorities in Beijing shut down Maiyadi, the third-party app store distributing the malware, and arrested three suspected hackers, according to ComputerWorld.
Though Apple quickly resolved the issue, WireLurker raises concerns about the vulnerability of all devices and platforms. As device and software-level security becomes more sophisticated, so will the methods hackers employ. The evolving nature of malware shines a light on the need to maintain up-to-date mobile security features to thwart malware in an enterprise IT infrastructure. Winning against malware requires a two-pronged approach, the offense and the defense, and the administrators and CIOs are the most valuable players.
In addition to basic tactics such as applying security patches and upgrades to software and operating systems, here are a few basic strategies that should be in every IT department’s mobile security playbook:
1) Enable MDM settings to block third-party app stores
With the use of MDM, IT administrators can configure settings to block access to third-party app stores and provide warnings to users who download suspicious software.
2) Maintain consistent oversight of your entire device fleet, including installed apps and profiles
IT administrators should take note of any unknown names or unknown provisioning profiles that appear in the MDM. Maintain a list of software and profiles that should be installed on enterprise devices, and be on the lookout for software that does not belong.
3) Detect rooting and jailbreaking
Devices become more susceptible to malware if they are jailbroken or rooted. While WireLurker has been able to target non-jailbroken phones, configuring MDM to detect rooted and jailbroken phones will alert IT administrators to many vulnerabilities. Administrators can use AirWatch to prohibit rooting and jailbreaking. When a user performs this action, the AirWatch compliance engine can automatically revoke access to enterprise content.
4) Train employees to stay cautious with a list of suggestions from the IT department
While it may not be always apparent to users, connecting a mobile device through a wire to another end source is an exchange of information between two devices. It’s important to know and trust the hardware you are using to connect your devices.
Alert users to pay attention to messages pushed to their mobile devices, such as software update notifications and alerts.
Communicate new threats to users as they are discovered, and suggest appropriate precautions.
Read more about AirWatch’s mobile security solutions.