Palo Alto analyzed three versions of WireLurker.
If someone downloaded a Mac OS X desktop application from Maiyadi, WireLurker came along with it. WireLurker then waits for when an iOS device is connected by a USB cable. A second version of WireLurker checks if the Apple device was jailbroken -- if it allows users to run applications not approved by Apple. Then it would look to see if applications such as Taobao, Alipay or Meitu, a photo editing application, were installed. If so, it would copy the application to the desktop Mac, infect it with WireLurker and copy it back to the device.
But a third iteration of WireLurker targets iOS devices that are not jailbroken as well. In that version, WireLurker used a digital certificate that Apple issues to enterprise developers so they can run their own applications in-house that do not appear on the App Store.
Some 467 Mac OS X applications offered on a Chinese third-party application store called Maiyadi were found to have been seeded with WireLurker, including "The Sims 3," and "Pro Evolution Soccer 2014," according to Palo Alto’s research paper.
Over the last six months, those applications and others have been downloaded 356,104 times and may have impacted hundreds of thousands of users, a firm's paper said.
Palo Alto Networks has released signatures to detect all WireLurker Command & Control communication traffic. The firm recommended that customers using OS X or iOS devices deploy a strict policy for blocking WireLurker traffic using the Palo Alto Networks enterprise security platform.
Palo Alto Networks has notified Apple about the malware a couple weeks ago.
"We are aware of malicious software available from a download site aimed at users in China, and we?ve blocked the identified apps to prevent them from launching," Apple said. "As always, we recommend that users download and install software from trusted sources."