China’s Sketchy App Stores Now Serve up iPhone Malware

A Chinese man talks on a mobile phone as he walks past a Taobao's mobile app advertisement billboard on display inside a subway station in Beijing.

A Chinese man talks on a mobile phone as he walks past a Taobao's mobile app advertisement billboard on display inside a subway station in Beijing. Andy Wong/AP

The “Wirelurker” malware was flagged by security firm Palo Alto Networks, and is notable because it is one of the first pieces of malicious code that can infect iPhones that have not been jailbroken.

A US security company has raised the alarm about a new breed of malware that has infiltrated hundreds of thousands of Apple devices, including Macs and iPhones. But unless you’re downloading pirated software from Chinese app stores, you probably don’t have anything to worry about.

The “Wirelurker” malware was flagged by security firm Palo Alto Networks, and is notable because it is one of the first pieces of malicious code that can infect iPhones that have not been jailbroken, or modified so that they can use apps not approved by Apple. But Wirelurker still requires users to download an unauthorized OS X app for their Mac computers—in particular one of several hundred that are available on a Chinese app store called Maiyadi—after which the malware is transferred to an iPhone or iPad via a USB cable.

“We believe that this malware family heralds a new era in malware attacking Apple’s desktop and mobile platforms,” Palo Alto Networks researcher Claud Xiao said in a blog post. Maiyadi offers about 400 apps infected with Wirelurker, which have been downloaded more than 350,000 times, Xiao added. The site, which also contains extensive technology discussion forums, claims to have 1.5 million active registered users.

China’s app stores are notorious for two things: pirated apps, and huge amounts of malware. It’s a particular problem for smartphones running Google’s Android OS, especially because the official Google Play app store is not available in China. In its place hundreds of third-party app stores have sprung up, some from major tech companies like Baidu and Tencent, along with many others from smaller companies. A study last year of the twenty biggest global Android app stores found over 7,000 dangerous malware-carrying apps (pdf) on offer, most of them in China.

Unlike Google Play, Apple’s app stores for both iOS mobile devices and computers running OS X are available in China—so the main reason to frequent third-party app stores like Maiyadi is to find pirated (i.e. free) software.

Chinese social media users seemed unsurprised that malware and pirated apps went hand-in-hand.

“Don’t use Maiyadi’s pirated software. It’s a pile of viruses,” said one Sina Weibo user (in Chinese). “This gives users a wake up call, it’s still best to download from official, trustworthy sources like the Mac App store,” said a contributor to an Apple forum on Feng.com (in Chinese).
Wirelurker, to be sure, looks to be an exceptionally nasty piece of malware. Once it infects a Mac and is then transferred to an iPhone, it can overwrite existing programs on your smartphone, replacing them with corrupted versions that could potentially steal passwords or financial data.

“We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching,” Apple tells Quartz in a statement. “As always, we recommend that users download and install software from trusted sources.”

Wirelurker, for now, limits itself to loading an innocuous comic book reader app on infected iPhones, which Palo Alto Networks speculates could be a test run for more nefarious aims down the road. “This malware is under active development, and its creator’s ultimate goal is not yet clear,” Xiao wrote in his blog post.

Palo Alto Networks also said that there are signs that the creators of Wirelurker, like its victims, are Chinese. It’s worth noting that Wirelurker appears to be unrelated to last month’s reported hacking of Apple’s iCloud services in China, which let unidentified intruders insert themselves between iPhone users and Apple’s servers to intercept sensitive data.