Tag Archives: Jonathan Zdziarski

Apple Fixes WireLurker Trojan, Windows Version Is Out in the Wild

Posted on by
WireLurker

Remember Apple, the company that used to say that its products are too good to get infected with viruses and trojans? Well, iOS and OS X devices have just had their first serious malware infestation ever.

Originating in a third-party Chinese OS X app store called Maiyadi, the WireLurker trojan is according to Unit 42 “new era in malware across Apple’s desktop and mobile platforms.” It is easily transfered from MacOS computers to iOS devices through an USB cable, and it is estimated that 800 million iPhone users could be affected.

The WireLurker trojan shows its Windows roots, as an earlier variant has been using malware made for Microsoft’s OS to attack Apple devices. It’s particularly dangerous as it represents the first malware to install apps on non-jailbroken iPhones using enterprise provisioning.

“We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources,” explained an Apple spokesperson in a statement to Business Insider.

“Previously we knew the WireLurker was distributed through the Maiyadi App Store. However, the newly revealed samples were directly uploaded to Baidu YunPa by user ‘ekangwen206′,” added Palo Alto researchers Claud Xiao and Royce Lu.

“The main functionality of this malware is to copy sfbase.dylib and sfbase.plist in its Resources directory to specific locations to make them perform as a MobileSubstrate tweak, shown in Figure 7. Additionally, the malware will communicate with the C2 server ‘www.comeinbaby.com’, the same server used by the version of WireLurker we revealed yesterday,” explained Xiao and Lu.

iOS forensics expert Jonathan Zdziarski pointed out that “Apple can revoke the enterprise certificate to prevent installation on iOS 8 devices; however WireLurker can still read information from the device without it. This is because the information is queried by the Mac desktop when your iPhone is plugged into it, by abusing that trusted relationship. Also, if you have a jailbroken iPhone running afc2 (a terribly insecure service allowing root file system access to the device), then a mobile substrate library is copied onto the device to infect the system. This is done regardless of whether or not WireLurker still has a valid enterprise profile.”

Be social! Follow Walyou on Facebook and Twitter, and read more related stories about the Android malware disguised as Angry Birds game, or the Android virus disguised as Google+.

Facebook Messenger Friend-to-Friend Payment System Is on the Way

Posted on by
Facebook Messenger Friend-to-Friend Payment

The social network will soon enable us to send money to our friends and Nigerian princes using its Messenger app. While the feature is already there, it hasn’t been turned on for the general public.

Just in case Facebook didn’t already have enough information on you, your friends and family, now it will also have access to debit card information. That is, if you want to use the Facebook Messenger friend-to-friend payment system.

The hidden feature was discovered by Stanford student Andrew Aude who used Cycript, a tool that enables developers to take mobile apps apart in order to learn how to modify them. Judging by what he told Gizmodo’s Kate Knibbs, this didn’t actually happen in the past week, but a month ago: “I first found it a month ago with Jonathan Zdziarski’s security research into Facebook Messenger.” One of Zdziarski’s screenshots triggered Aude’s curiosity and motivated him to dig deeper into the matter. After performing some research, he discovered that the payment feature is actually part of Facebook Messenger, and not a stand-alone app.

Ex-PayPal president David Marcus joined the social network not long ago as the head of Messenger, so this new feature somehow makes sense. The man came and did what he knew best. While PayPal itself doesn’t appear in the app, the code discovered by Aude mentioned that payment processor, which means that Facebook won’t handle the payments on its own.

The Facebook Messenger version discovered by Aude only featured debit card payments. Credit cards and bank accounts weren’t available, even though they might be added at a later point. The only security measure was represented by a PIN, and I really think Facebook should work more on that, as it seems something a bit too easy to bypass.

Notes suggesting the possibility of making payments to multiple parties were also found by Aude within the app’s code. Other than that, the transactions are private, which can only be a good think. It would be awkward and disturbing if incoming or outgoing payments should up as a status update for others to like.

Thank you very much, Facebook, but I’ll just let established companies handle my dough! The company declined to make any comments on Aude’s discovery, and as far as I’m concerned, it hope it kills the project, altogether.

Be social! Follow Walyou on Facebook and Twitter, and read more related stories about the ICQ Messenger’s user base that increased for the first time in forever, and PayPal’s Order Ahead and Pay at Table mobile services.