Well that was fast.
Not quite ten days after we released our white paper on WireLurker, arrests have already been made in China. WireLurker is a new family of malware specifically targeting iOS devices via USB. There is WireLurker malware for both Mac OS X and Microsoft Windows operating systems.
WireLurker works by looking for any iOS devices connected via USB with an infected OS X or Windows computer. When it detects one, it installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jail broken. This is the reason we call it “wire lurker”.
On November 14, the Beijing Municipal Public Security Bureau announced it had arrested three people in connection with the WireLurker malware. The police received a tip from the Chinese technology company Qihoo 360 and subsequently arrested three individuals, respectively surnamed Chen, Li, and Wang. The third-party app store that had been serving WireLurker, Maiyadi, was also shut down.
The police have not released the suspects’ full names, but several Chinese sources are reporting two of them may be the founders of Maiyadi, Chen Peng and Wang Jian. The third is likely the “Li Fei” whose name appears in the Windows WireLurker code, and had a certificate from Apple used in the iOS version. As noted in an earlier WireLurker blog, these details support the technical analysis that indicated a likely tie between Maiyadi and the malware.
It is not known if the developer previously tracked down and accused of being tied to WireLurker is among those arrested, or whether his claim of innocence is founded. Of note, the Chinese-language forum that originally publicized that developer’s information was served with legal paperwork and deleted the respective content. Interestingly, the lawyer CC’d a Maiyadi email account for Chen Peng when sending the paperwork, one of the individuals who may been arrested. A screenshot of the removal request from the lawyer is below. The two highlighted characters in the CC’d line are Chen Peng.
Figure 1. Removal letter from a lawyer sent to the Chinese-language forum that initially published a possible WireLurker-related developer’s personal information. The characters highlighted in blue on the CC’d line are Chen Peng, a Maiyadi founder possibly among those arrested last week for WireLurker.
We will continue to monitor for WireLurker-related activities and make updates here as appropriate.
[Palo Alto Networks Blog]