The Beijing Municipal Public Security Bureau has arrested three individuals for involvement in the creation and distribution of WireLurker malware that compromises iOS devices and made hundreds of thousands of victims in China.

The three suspects were identified based on information received from security company Qihoo 360 Technology.
Authors made a WireLurker for Windows, too

In a post on Sina Weibo, the Bejing police announced that the three suspects, identified only by their surname (Chen, Lee and Wang), have been taken into custody on Thursday for conspiring to write malicious software used for illegal profits.

WireLurker would be spread through the Maiyadi store for OS X applications, which hosted premium pirated content. A report from AlienVault researcher warned that a version for Windows was also in use.

According to researchers from Palo Alto Networks, who discovered the malware and published their findings last week, the cybercriminals infected popular programs and uploaded them to the online repository.

During their analysis they found 467 pieces of trojanized gaming software. After installation on the system, WireLurker would wait for an iOS device to connect to the computer (OS X or Windows) to compromise it.

The malicious apps that would then be downloaded to the desktop computer and upon detecting a USB-connected iOS device, they would be sent to the target. The location hosting the malicious apps has been identified at the 124.248.245.78 IP address.

The malware works regardless if the device is jailbroken or not because it also included apps signed with an enterprise digital certificate; these are not passed through the rigorous security checks from Apple, like the items in the official store, because they are believed to be trustable since certificates are issued to verified organizations for building proprietary software for use in corporate environment.

Maiyadi has been taken down

The report from the Beijing police on the Chinese microblogging platform is brief, but it does inform that the Maiyadi iOS store has been shut down.

WireLurker collects the product serial and model numbers, phone number, Apple ID, Wi-Fi address, disk usage, and the unique device identifier – UDID.

The purpose it has been built for is unclear because, despite the ability to steal large amounts of information, this does not point to a specific motive, the Palo Alto Networks said in their report.

To protect its customers, Apple started to block the malicious apps in the Maiyadi third-party store immediately after hearing the news about WireLurker.