Seek and Destroy: Operation WireLurker

WireLurker is a malware that infects computers running Mac OS X or Windows and subsequently spreads via USB connected to iOS devices. In order to be able to do so, the virus installs an enterprise provisioning profile on iOS connected devices. Under Windows, the virus only works if the iOS device is jail-broken. The threat is detected (and presumably restricted) to China until now.

If jail-broken please follow the second set of instructions.

At this time Apple has placed in appropriate security measures, but, there is a alight chance that you conceived the malware a while back before Apple took any action. And if you believe that you’re infected, follow these steps:

1. Go to Settings > General > Profile.
2. Check for any unknown profile listed here, if you find one delete it.
3. Check installed apps for any type of strange behavior, and delete all  suspicious apps that you find installed.

It is highly recommended that you do a complete restore of your iOS device from iTunes till a more effective and sure fire solution comes up.

If you’re jail-broken and have suspicions that you are affected by WireLurker, then follow the steps outlined below. If you find the process difficult, then simply do a clean restore of your Apple device using iTunes on the latest currently available public iOS release.

1. Install iFile (from Cydia), or any other way to SSH into your iOS device to access system directories.
2. Navigate to: Library > MobileSubstrate > DynamicLibraries.
3. Look for a file named sfbase.dylib, and if found, you know your device is infected.

Deleting this file does not remove the threat of WireLurker, again it is recommended that you do a complete restore of your device from iTunes.