{
	"id": "c552a077-921c-4a3f-928f-3f4c2fd9487f",
	"created_at": "2026-04-06T01:31:53.582899Z",
	"updated_at": "2026-04-10T03:20:27.044092Z",
	"deleted_at": null,
	"sha1_hash": "4d1b4851f63cd2ea166d2722b48bf1fc88763726",
	"title": "WireLurker: A New Era in OS X and iOS Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43481,
	"plain_text": "WireLurker: A New Era in OS X and iOS Malware\r\nBy Claud Xiao\r\nPublished: 2014-11-05 · Archived: 2026-04-06 00:22:36 UTC\r\nToday we published a new research paper on WireLurker, a family of malware targeting both Mac OS and iOS\r\nsystems for the past six months. We believe that this malware family heralds a new era in malware attacking\r\nApple’s desktop and mobile platforms based on the following characteristics:\r\nOf known malware families distributed through trojanized / repackaged OS X applications, it is the biggest\r\nin scale we have ever seen\r\nIt is only the second known malware family that attacks iOS devices through OS X via USB\r\nIt is the first malware to automate generation of malicious iOS applications, through binary file\r\nreplacement\r\nIt is the first known malware that can infect installed iOS applications similar to a traditional virus\r\nIt is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through\r\nenterprise provisioning\r\nWireLurker was used to trojanize 467 OS X applications on the Maiyadi App Store, a third-party Mac application\r\nstore in China. In the past six months, these 467 infected applications were downloaded over 356,104 times and\r\nmay have impacted hundreds of thousands of users.\r\nHow It Works\r\nWireLurker monitors any iOS device connected via USB with an infected OS X computer and installs\r\ndownloaded third-party applications or automatically generated malicious applications onto the device, regardless\r\nof whether it is jailbroken. This is the reason we call it “wire lurker”. Researchers have demonstrated similar\r\nmethods to attack non-jailbroken devices before; however, this malware combines a number of techniques to\r\nsuccessfully realize a new brand of threat to all iOS devices.\r\nWireLurker exhibits complex code structure, multiple component versions, file hiding, code obfuscation and\r\ncustomized encryption to thwart anti-reversing. In this whitepaper, we explain how WireLurker is delivered, the\r\ndetails of its malware progression, and specifics on its operation.\r\nWe further describe WireLurker’s potential impact, as well as methods to prevent, detect, contain and remediate\r\nthe threat. We also detail Palo Alto Networks Enterprise Security Platform protections in place to counter\r\nassociated risk.\r\nWireLurker is capable of stealing a variety of information from the mobile devices it infects and regularly requests\r\nupdates from the attackers command and control server. This malware is under active development and its\r\ncreator’s ultimate goal is not yet clear.\r\nWe recommend users take the following actions to mitigate the threat from WireLurker and similar threats:\r\nhttps://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/\r\nPage 1 of 2\n\nEnterprises should assure their mobile device traffic is routed through a threat prevention system using a\r\nmobile security application like GlobalProtect\r\nEmploy an antivirus or security protection product for the Mac OS X system and keep its signatures up-to-date\r\nIn the OS X System Preferences panel under “Security \u0026 Privacy,” ensure “Allow apps downloaded from\r\nMac App Store (or Mac App Store and identified developers)” is set\r\nDo not download and run Mac applications or games from any third-party app store, download site or other\r\nuntrusted source\r\nKeep the iOS version on your device up-to-date\r\nDo not accept any unknown enterprise provisioning profile unless an authorized, trusted party (e.g. your IT\r\ncorporate help desk) explicitly instructs you to do so\r\nDo not pair your iOS device with untrusted or unknown computers or devices\r\nAvoid powering your iOS device through chargers from untrusted or unknown sources\r\nSimilarly, avoid connecting iOS devices with untrusted or unknown accessories or computers (Mac or PC)\r\nDo not jailbreak your iOS device; If you do jailbreak it, only use credible Cydia community sources and\r\navoid the use or storage of sensitive personal information on that device\r\nDownload “WireLurker: A New Era in OS X and iOS Malware” here.\r\nVisit Unit 42 for new research and a full list of speaking appearances, as well to subscribe to updates.\r\nUnit 42 On the Road\r\nUnit 42 team leads regularly appear at industry conferences throughout the world. In November, Unit 42’s regular\r\nroadshow will make three stops in Canada. Click each link to register, and watch for more Unit 42 roadshows\r\ncoming to cities near you.\r\nTuesday, Nov. 18 in Toronto, Ont.\r\nWednesday, Nov. 19 in Calgary, Alberta\r\nThursday, Nov. 20 in Vancouver, B.C.\r\nSource: https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/\r\nhttps://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"
	],
	"report_names": [
		"wirelurker-new-era-os-x-ios-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775439113,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4d1b4851f63cd2ea166d2722b48bf1fc88763726.pdf",
		"text": "https://archive.orkl.eu/4d1b4851f63cd2ea166d2722b48bf1fc88763726.txt",
		"img": "https://archive.orkl.eu/4d1b4851f63cd2ea166d2722b48bf1fc88763726.jpg"
	}
}