You’ve been shocked and bled. Prepare to be LURKED – OS X/iOS malware spreading like Wildfire
Researchers at Palo Alto Networks, have identified a nasty piece of Malware in the wild which is infecting iOS devices, via their umbilical (USB) cord.
The modus operandi of the malware appears to be that it downloads malicious applications onto an iOS device connected to an infected OSX host. Whilst it is not clear what the intent is, the malware regularly phones home (to its command and control servers) and is capable of stealing data from your mobile device.
Somewhat relieving (at the moment) for us in the West is that the initial vector for infecting the mothership (the Mac OS X machines) has been via the downloading of apps from the Chinese Maiyadi App Store. That is not to say that that other download stores are not compromised but probably gives us some breathing space.
The top ten Apps downloaded were (up to October 2014. Source Palo Alto Networks):
Palo Alto Networks has released two signatures to identify the Command and Control (C2) traffic from the malware (13748,13749) and it is anticipated that other vendors will follow, including Antivirus vendors.
Palo have also written a Python script, which can be used to detect infected OS X machines. You can download it here:
In order to prevent infection in the first place, the following are recommended (by Palo Alto actually, but we fully endorse them):
- Enterprises should assure their mobile device traffic is routed through a threat prevention system using a mobile security application. Palo Alto’s solution is called GlobalProtect. ITC’s NetSure360° platform has this functionality as standard.
- Employ an antivirus or security protection product for the Mac OS X system and keep its signatures up-to-date
- In the OS X System Preferences panel under “Security & Privacy,” ensure “Allow apps downloaded from Mac App Store (or Mac App Store and identified developers)” is set
- Do not download and run Mac applications or games from any third-party app store, download site or other untrusted source
- Keep the iOS version on your device up-to-date
- Do not accept any unknown enterprise provisioning profile unless an authorized, trusted party (e.g. your IT corporate help desk) explicitly instructs you to do so
- Do not pair your iOS device with untrusted or unknown computers or devices
- Avoid powering your iOS device through chargers from untrusted or unknown sources
- Similarly, avoid connecting iOS devices with untrusted or unknown accessories or computers (Mac or PC)
- Do not jailbreak your iOS device; If you do jailbreak it, only use credible Cydia community sources and avoid the use or storage of sensitive personal information on that device
If you have any concerns about this or any other Malware issues, our managed security platform includes the identification of C2 traffic, so our existing customers are already ahead of the game. If you would like some advice, please contact us on: 0207 517 3900 or email [email protected]
We would like to thank Unit 42 of Palo Alto Networks for this excellent work.