How to detect and remove WireLurker from OS X and iOS

“Following the recent Wirelurker malware that was discovered yesterday, Apple has taken some rapid steps to fix it, including releasing an XProtect update to detect programs that are run on OS X which may contain the malware, and revoking developer certificates for compromised applications that are being used as vectors to spread the malware,” Topher Kessler writes for MacIssues. “In addition to these steps, if you suspect your Mac or iOS system might have been infected, then there are some steps you can take to detect and remove it from your system.”

“The WireLurker malware installs a number of files on your OS X system, which set it up to detect any iOS systems you attach by a USB cable, and then install malware into that iOS device,” Kessler writes. “If you have any of these files on your Mac, then you likely have the malware installed. These have been outlined by Palo Alto Networks, the company that discovered the malware…”

How to detect and remove WireLurker from OS X and iOS instructions here.

Related articles:
Apple blocks Chinese trojan apps – November 6, 2014
Apple blocks apps after WireLurker malware on iOS and Mac OS X uncovered in China – November 6, 2014
WireLurker trojan targeted at non-jailbroken iPhones spreads in China – November 6, 2014
There’s practically no iOS malware, thanks to Apple’s smart control over app distribution – June 13, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013
Android app malware rates skyrocket 40 percent in last quarter – August 7, 2013
First malware found in wild that exploits Android app signing flaw – July 25, 2013
Mobile Threats Report: Android accounts for 92% of all mobile malware – June 26, 2013
Latest self-replicating Android Trojan looks and acts just like Windows malware – June 7, 2013
99.9% of new mobile malware targets Android phones – May 30, 2013

33 Comments

    1. Jailbreaking has NOTHING to do with this..
      READ how iOS gets infected… via USB only.

      “The WireLurker malware installs a number of files on your OS X system, which set it up to detect any iOS systems you attach by a USB cable, and then install malware into that iOS device,”

      Some people are just idiots.

      1. Now, now. Everyone is entitled to his/her form of entertainment. Hanging out on Mac Daily News to belittle the opposition may be this person’s form of fun.

        Besides, better the devil you know than the devil you don’t know — keep pushing and “Feather” will probably change his/her avatar. And given the obvious level of intelligence and cleverness involved, we would not be up to the challenge of guessing that “Feather1” and then “Feather2” and then “Feather3” are really the same person.

    1. Dork. No one here thought anything like that. But to get this you have to download infected apps from a non trusted sight.
      You can’t teach stupid. Some people just have to learn the hard way. Only use reputable sights to get your software. Oh like say the Apple App store.

  1. Why the hell is this article talking about this as if it affects anyone more than some Chinese users, all the way in China, who have somehow (how could they if they didn’t jailbreak their phone) used a third party IOS app store?? I’ve never heard of a third party app store for iOS that doesn’t require jailbreaking. Apple would never allow that kind of mess. So what the hell are we even talking about?

    1. We’re talking about reading the story a little more clearly, I think. As I read it, if you install OS X apps from non-Apple sources you could be downloading an OS X app that has been modified to have this malware in it. Once run, that code installs other background software that watches for an iOS device to be attached, and when one comes along, it gets this other malware force-fed to it.

    2. This particular outbreak was limited to China, but the same techniques can be used anywhere. It’s likely there will now be more malware with the same ability to infect non-jailbroken devices, until Apple changes or replaces enterprise provisioning deployment in iOS.

    1. I know that if you backup to iTunes and restore (even to a new iPhone), old apps will continue to be usable, even if they are no longer in the App store. Not sure about iCloud backups…

  2. Right now, at least, you can only get this malware if you access a third party App Store based in China.

    Like any other piece of software, if you don’t get it from flybynight.com you don’t have anything to worry about.

    Seems to me we have some folks dying to say, “See Macs aren’t safe either” and they’ll take any little thing they can find and blow it way out of proportion.

    Wake when this reaches the Apple App stores.

  3. Right now, at least, you can only get this malware if you access a third party App Store based in China.

    Like any other piece of software, if you don’t get it from flybynight.com you don’t have anything to worry about.

    Seems to me we have some folks dying to say, “See Macs aren’t safe either” and they’ll take any little thing they can find and blow it way out of proportion.

    Wake me when this reaches the Apple App stores.

    1. Many want software not available in Apple’s official sources for various reasons, and are willing to go to shady sources, aware the risks involved. Just try to be smart about it: watch out for malware yourself, and don’t blame Apple if your shady deal goes sour.

  4. Derek, from the “original article”:

    “WireLurker was used to trojanize 467 OS X applications on the Maiyadi App Store, a third-party Mac application store in China. In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users.”

    If this isn’t a third party App Store problem why does it say that is where the malware was downloaded from?

    1. Because it was also inserted into Pirated software that was freely available on other sites/torrents as well.

      “and from underground Web sites that distribute pirated software.”

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.