How to Check for the WireLurker Malware Infection

A new breed of malware has been found infecting Macs and iOS devices, spread primarily by compromised apps found in the Chinese Maiyadi App Store. Researchers at Palo Alto Networks have reported that hundreds of thousands of users could be affected. Named WireLurker, the malware also has a Windows variant and could be the largest scale infection of its type.

OS X check WireLurker infection

WireLurker lurks on a computer and when an iOS device is connected via USB, it attacks the mobile device. Private data such as messages and contacts can be compromised. iOS devices do not need to be jailbroken to be vulnerable. While WireLurker may not be a concern for those who never use third-party app stores, checking for infection is relatively simple. Apple has already taken steps to combat the malware by blocking the affected apps.

Here are some ways to check for and clean the WireLurker malware infection.

OS X Computers

Check to see if your Mac is infected by running Palo Alto Networks WireLurker Detector tool. Click here for more information.

1. Open Terminal
2. At the prompt, enter this command and hit return:
curl -O https://raw.githubusercontent.com/PaloAltoNetworks-BD/WireLurkerDetector/master/WireLurkerDetectorOSX.py
3. Then run this command: python WireLurkerDetectorOSX.py
4. The script will determine whether or not your system is compromised
5. Delete detected files to clean

Check iOS 8 devices

1. Use the iPhone Configuration Utility to look for unknown distribution profiles
2. Remove the profiles to clean
3. Delete unknown or suspicious apps

If your iOS device is running older firmware (iOS 7 and earlier)

1. On the iOS device, navigate to Settings -> General -> Profiles
2. If unknown profiles are listed you might be infected with WireLurker
3. Remove the profiles to clean
4. Delete unknown or suspicious apps

If your iOS device is jailbroken

1. Open the iFile app or SSH to the iOS system on your device. Click here for instructions on using SSH
2. Navigate to the directory /Library/MobileSubstrate/DynamicLibraries
3. If the file sfbase.dylib exists the iOS device is probably infected with WireLurker
4. Delete the file to clean

Windows Computers

There is a Windows variant which can be detected with the following software. Click here for more information.

1. Download the WireLurkerCleaner application from GitHub. Click here for a direct link to WireLurkerCleaner.exe
2. Right-click the app and select Run as administrator
3. Click Yes if prompted by User Account Control
4. The tool will scan your Window system and determine if WireLurker is present
5. Delete detected files to clean

Most users do not have to worry about WireLurker, however you can reduce the chances of infection with a few safeguards. First off, don't download pirated Mac apps from third-party Chinese app stores. Do not connect iOS devices to untrusted computers or chargers via USB, and always utilize antivirus software for extra security. Mac users can also limit OS X to only run trusted apps under Security & Privacy -> Allow apps downloaded from: Mac App Store and identified developers.