- Apr 25, 2013
- 5,355
Whether Apple products were ever immune to malware is arguable, but reports from the security industry in the past few months are clearly showing an increased interest from cybercriminals in OS X and iOS users.
“OS X and iOS users have been relatively shielded from malware compared to Windows users. However, as both the mobile and desktop operating systems from Apple gain popularity amongst users, they become viable targets for cyber-crime,” says Bogdan Botezatu, senior malware analyst at Bitdefender.
Lately, it has been observed that these platforms have become more appealing for different types of attacks, not just the financially motivated ones.
Stealing ad revenue and spying
In August, a research on an older discovery revealed that a threat dubbed AdThiefinfected about 75,000 iOS devices, managing to steal the revenue from 22 million advertisements. The user would not be directly impacted by this, but iOS app makers would no longer receive the monetary rewards.
According to the analysis, AdThief had been in use since at least December 10, 2013, and it caught the attention of security researchers in March 2014, when about 22,000 daily activations were observed.
In this case, the malware worked on jailbroken devices, which do not benefit from the inherent security restrictions from Apple.
In September, researchers from FireEye announced that a piece of malware calledXSLCmd had been ported from Windows to OS X. Stealing data from the affected computer seemed to be the main purpose of the threat.
All evidence pointed at cyber-espionage activity from a group they named GREF, which, based on historical information, is believed to operate since 2009.
Another Trojan was revealed by the experts at Lacoon Mobile Security at the end of September. The malware, named Xsser mRAT, is designed for the iOS platform and is allegedly the work of the Chinese government.
It was found on a server hosting its Android counterpart that was flung at Hong Kong pro-democracy protesters under the guise of an app that would help with better coordination of the manifestation.
Like AdThief, Xsser mRAT also works on jailbroken devices only, and it would send to its command and control server information about the infected phone, from version of the OS, MAC address, IMSI and IMEI codes, to the phone number of the SIM card.
Enslaving Macs and infecting non-jailbroken iPhones
The month of September was unusually prolific in reports about malware for Apple products, as news about another threat came from antivirus vendor Doctor Web, this time alerting of a botnet of OS X systems caused by iWorm.
According to telemetry data at the time, connections from more than 17,000 unique IP addresses were recorded; this does not reflect the real number of infected computers, since dynamic IPs are generally assigned by ISPs to customers, and as such, an infected computer could connect to the command and control server under different IPs.
In October, we saw another report about an OS X threat called Ventir put together by researchers at Kaspersky. They said that one of the modules was actually an open source tool built to intercept keystrokes.
However, in more recent news in November, Palo Alto Networks found WireLurker, an impressive piece of malware aimed at users in China that jumps from OS X to iOS via a USB connection and it can compromise even non-jailbroken devices.
The amount of victims is estimated at hundreds of thousands, while the attack vector consisted in Trojanized apps downloaded from a third-party marketplace that offered premium pirated content.
The move from OS X to iOS was possible through malicious apps signed with enterprise certificates, which can be installed without restriction on non-jailbroken devices.
Researchers expect more malware to be discovered
It is clear that there is a real interest in compromising products from Apple in order to spy or steal from the owners.
“Most of the cyber-criminals are focused on making money, so the more potential victims, the lower the overall cost of the attack is, which in turn makes developing Mac or iOS malware a profitable business. We expect to see more of these threats in the wild during the next year,” said Botezatu via email.
Other researchers agree that malware has become a real threat for Apple products, WireLurker being the perfect example in the argument, according to Christian Funk, senior security researcher at Kaspersky.
He says that the chances of an unprotected Mac system to become infected has grown by three percent in the first eight months of 2014, as 25 different malware families for Apple’s platform have been discovered.
A 3% security risk increase may not seem like much, but these numbers come from devices protected by a security solution from Kaspersky, the researcher warns; the total amount of threats is likely to be much higher.
“Compared to the malware situation on PCs and even Android devices the threat landscape in the Mac world is pretty calm, but nevertheless threats do exist. Macs can also be carriers of malware intended for other operating systems - the malware doesn’t affect the Mac directly, but can forward an infected file to a Windows computer, or - as in this case [WireLurker] - an iPhone,” Funk said.
If it hasn’t happened already, Apple users are about to wake up to a harsh reality where their devices have become a target, and the security measures from the developer are no longer proving to be 100% efficient, even for non-jailbroken devices.
“OS X and iOS users have been relatively shielded from malware compared to Windows users. However, as both the mobile and desktop operating systems from Apple gain popularity amongst users, they become viable targets for cyber-crime,” says Bogdan Botezatu, senior malware analyst at Bitdefender.
Lately, it has been observed that these platforms have become more appealing for different types of attacks, not just the financially motivated ones.
Stealing ad revenue and spying
In August, a research on an older discovery revealed that a threat dubbed AdThiefinfected about 75,000 iOS devices, managing to steal the revenue from 22 million advertisements. The user would not be directly impacted by this, but iOS app makers would no longer receive the monetary rewards.
According to the analysis, AdThief had been in use since at least December 10, 2013, and it caught the attention of security researchers in March 2014, when about 22,000 daily activations were observed.
In this case, the malware worked on jailbroken devices, which do not benefit from the inherent security restrictions from Apple.
In September, researchers from FireEye announced that a piece of malware calledXSLCmd had been ported from Windows to OS X. Stealing data from the affected computer seemed to be the main purpose of the threat.
All evidence pointed at cyber-espionage activity from a group they named GREF, which, based on historical information, is believed to operate since 2009.
Another Trojan was revealed by the experts at Lacoon Mobile Security at the end of September. The malware, named Xsser mRAT, is designed for the iOS platform and is allegedly the work of the Chinese government.
It was found on a server hosting its Android counterpart that was flung at Hong Kong pro-democracy protesters under the guise of an app that would help with better coordination of the manifestation.
Like AdThief, Xsser mRAT also works on jailbroken devices only, and it would send to its command and control server information about the infected phone, from version of the OS, MAC address, IMSI and IMEI codes, to the phone number of the SIM card.
Enslaving Macs and infecting non-jailbroken iPhones
The month of September was unusually prolific in reports about malware for Apple products, as news about another threat came from antivirus vendor Doctor Web, this time alerting of a botnet of OS X systems caused by iWorm.
According to telemetry data at the time, connections from more than 17,000 unique IP addresses were recorded; this does not reflect the real number of infected computers, since dynamic IPs are generally assigned by ISPs to customers, and as such, an infected computer could connect to the command and control server under different IPs.
In October, we saw another report about an OS X threat called Ventir put together by researchers at Kaspersky. They said that one of the modules was actually an open source tool built to intercept keystrokes.
However, in more recent news in November, Palo Alto Networks found WireLurker, an impressive piece of malware aimed at users in China that jumps from OS X to iOS via a USB connection and it can compromise even non-jailbroken devices.
The amount of victims is estimated at hundreds of thousands, while the attack vector consisted in Trojanized apps downloaded from a third-party marketplace that offered premium pirated content.
The move from OS X to iOS was possible through malicious apps signed with enterprise certificates, which can be installed without restriction on non-jailbroken devices.
Researchers expect more malware to be discovered
It is clear that there is a real interest in compromising products from Apple in order to spy or steal from the owners.
“Most of the cyber-criminals are focused on making money, so the more potential victims, the lower the overall cost of the attack is, which in turn makes developing Mac or iOS malware a profitable business. We expect to see more of these threats in the wild during the next year,” said Botezatu via email.
Other researchers agree that malware has become a real threat for Apple products, WireLurker being the perfect example in the argument, according to Christian Funk, senior security researcher at Kaspersky.
He says that the chances of an unprotected Mac system to become infected has grown by three percent in the first eight months of 2014, as 25 different malware families for Apple’s platform have been discovered.
A 3% security risk increase may not seem like much, but these numbers come from devices protected by a security solution from Kaspersky, the researcher warns; the total amount of threats is likely to be much higher.
“Compared to the malware situation on PCs and even Android devices the threat landscape in the Mac world is pretty calm, but nevertheless threats do exist. Macs can also be carriers of malware intended for other operating systems - the malware doesn’t affect the Mac directly, but can forward an infected file to a Windows computer, or - as in this case [WireLurker] - an iPhone,” Funk said.
If it hasn’t happened already, Apple users are about to wake up to a harsh reality where their devices have become a target, and the security measures from the developer are no longer proving to be 100% efficient, even for non-jailbroken devices.
