(테크놀로지) 애플 악성코드 중국 사용자들의 폰에 감염

출처: http://www.bbc.com/news/technology-29928751

6 November 2014 Last updated at 11:25

Apple malware affects mostly Chinese users 애플 악성코드 대부분 중국사용자들의 폰에 감염

By Rajeshni Naidu-Ghelani & Leo KelionBBC News

The BBC's John Sudworth explains how the malware affects Apple products 비비시 통신원 존 수드워스가 악성코드가 어떻게 애플제품에 영향을 끼치는지 설명하고 있다.

Continue reading the main story

Related Stories

• China denies backing iCloud hack
• Apple's iPhone sales boost earnings
• Apple reveals its thinnest iPad

Malware has bypassed Apple's safety controls by taking advantage of a process used by employers to add apps to workers' iPhones and iPads. 고용주가 직원들의 아이폰과 아이팻에 앱을 추가하기 위해 사용했던 과정을 이용하여, 악성코드가 애플의 안전통제를 우회하였다. 

US-based Palo Alto Networks said WireLurker appeared to have originated in China and was mostly infecting devices there. 미국에 본사가 있는 팔로 알토 네트워크는 와이어루커(밝은하늘: 악성코드名)가 중국에서 발생했던 것으로 보이며 그곳의 디바이스들을 대부분 감염시켰다고 말한다.

The malware first targets Mac computers via a third-party store before copying itself to iOS devices. 악성코드는 자신을 아이폰 운영체제 디바이스로 복제하기 전 제삼자를 통해 우선 막 컴퓨터들을 목표로 한다

Researchers warn it steals information and can install other damaging apps. 전문가들은 이 악성코드는 정보를 빼내며 손상을 입히는 앱들을 설치할 수 있다고 경고한다.

"WireLurker is unlike anything we've ever seen in terms of Apple iOS and OS X malware," said Ryan Olson, Palo Alto Network's intelligence director. 와이어루커는 애플의 운영체제와 운영체제 엑스 악성코드면에서 우리가 지금껏 봐았던 것들과 달라 보인다고 팔로 알토 네트워크의 책임자 라얀 올손은 말한다. 

"The techniques in use suggest that bad actors are getting more sophisticated when it comes to exploiting some of the world's best-known desktop and mobile platforms."

WireLurker has the ability to transfer from Apple's Mac computer to mobile devices through a USB cable.

The malware initially gets onto an iOS device via a USB link to an infected Mac computer

The security firm said the malware was capable of stealing "a variety of information" from mobile devices it infects and regularly requested updates from the attackers' control server.

"This malware is under active development and its creator's ultimate goal is not yet clear," the company added.

Apple has issued a brief statement.

"We are aware of malicious software available from a download site aimed at users in China, and we've blocked the identified apps to prevent them from launching," it said.

"As always, we recommend that users download and install software from trusted sources."

Work apps

According to Palo Alto Networks,WireLurker was first noticed in Junewhen a developer at the Chinese firm Tencent realised there were suspicious files and processes happening on his Mac and iPhone.

Further inquiries revealed a total of 467 Mac programs listed on the Maiyadi App Store had been compromised to include the malware, which in turn had been downloaded 356,104 times as of 16 Oct.

Infected software included popular games including Angry Birds, The Sims 3, Pro Evolution Soccer 2014 and Battlefield: Bad Company 2.

Once the malware was on the Mac, it communicated with a command-and-control server to check if it needed to update its code, and then waited until an iPhone, iPad or iPod was connected.

When an iOS device was connected the malware would check if it was jailbroken - a process used by some to remove some of Apple's restrictions.

If it was jailbroken, WireLurker backed up the device's apps to the Mac, where it repackaged them with malware, and then installed the infected versions back on to the iOS machine.

If it was not jailbroken - which is the case for most iOS devices - WireLurker took advantage of a technique created by Apple to allow businesses to install special software on their staff's handsets and tablets.

Wirelurker hides its code inside software that is initially downloaded to a Mac computer

This involved placing infected apps on the device that had been signed with a bogus "enterprise certificate" - code added to a product that is supposed to prove it comes from a trustworthy source.

To ensure the devices accepted this certificate, a permissions request was made to pop up on the targeted iOS device on the user's first attempt to run an infected app.

It simply asked for permission to run the app, but if the user clicked "continue" it installed code called a "provisioning profile", which told the iOS device it could trust any other app that had the same enterprise certificate.

Palo Alto Networks remarked that while this technique was not a new concept, it was the only known example of it being used to target non-jailbroken iOS devices in the wild.

Once active, the malware is used to upload information about the machine to the hackers, including phone numbers from its Contacts app, and the user's Apple ID.

Different versions of WireLurker also automatically installed new apps on the devices - including a video game and a comic book reader.

The hackers fooled users into approving a bogus enterprise certificate

While these were innocuous, experts warn they could represent a test run for other more damaging software.

"People have got very used to iOS being secure and there is a danger they may be complacent about the risk this presents," said Prof Alan Woodward, from the University of Surrey.

"Now Apple knows what it's looking for, it should be able to shut it down relatively easily. But it shows that people are trying to attack Apple's operating system and the firm can't take security for granted."

Under attack

News of the attack comes after tech giant Apple's iCloud storage service in China was attacked by hackers trying to steal user information just last month.

Chinese web monitoring group Greatfire.org said that hackers intercepted data and potentially gained access to passwords, messages, photos and contacts. They believed the Beijing government was behind the move.

But the Chinese government denied the claims and was backed by state-owned internet provider China Telecom, which said the accusation was "untrue and unfounded".

China is home to the world's biggest smartphone market and Apple saw its iPhone sales there jump 50% in the April to June quarter from a year earlier.

To minimise the risk of attack, Palo Alto Networks has recommended that users:

• Do not download Mac apps from third-party stores
• Do not jailbreak iOS devices
• Do not connect their iOS devices to untrusted computers and accessories, either to copy information or charge the machines
• Do not accept requests for a new "enterprise provisioning profile" unless it comes from an authorised party, for example the employer's IT department