• XcodeGhost Malware Affects Legitimate iOS Apps and Here's What You Need to Know



    There's a lot of buzz on the Internet recently about a recent malware scare on the iOS platform. Dubbed XcodeGhost, this malware originates from the developers of iOS applications themselves and affects applications that have been built with a non-legitimate version of Xcode.

    As it turns out, the applications in question are coming from China, as Paulo Alto Networks explains, and are being compiled with a version of Xcode that doesn't come directly from Apple. These applications have managed to successfully pass Apple's App Store review, meaning that many public iOS users have downloaded these infected applications.

    XcodeGhost’s primary behavior in infected iOS apps is to collect information on the devices and upload that data to command and control (C2) servers. The malware has exposed a very interesting attack vector, targeting the compilers used to create legitimate Apps. This technique could also be adopted to attack enterprise iOS apps or OS X apps in much more dangerous ways.

    In China (and in other places around the world), sometimes network speeds are very slow when downloading large files from Apple’s servers. As the standard Xcode installer is nearly 3GB, some Chinese developers choose to download the package from other sources or get copies from colleagues.
    The problem here is that the developers (mainly from China, but not indefinitely) that are wanting to download Xcode so they can create applications for the App Store are not wanting to wait for the long download times to get Xcode directly from Apple, and instead, are relying on a third-party sources to download Xcode and use. As it turns out, this third-party source is injecting Xcode with compiler malware, which in turn affects the applications that are made with it.

    The malware sits in the background of the device and collects information such as:

    • Current time
    • Current infected app’s name
    • The app’s bundle identifier
    • Current device’s name and type
    • Current system’s language and country
    • Current device’s UUID
    • Network type


    Paulo Alto Networks doesn't give a complete list on the applications that were affected, although it does note that WeChat, one of the more popular instant messenger/chatting applications used in China, is among one of the affected applications compiled with a non-legitimate version of Xcode, as is CamCard, a popular business card scanning application used in many countries. Other affected applications may include various banking applications, games, stock-trading applications, and other applications that users don't really want malware infections to monitor.

    Apple will have to create some kind of a solution for this problem, whether it means improving the App Store review process to block infected applications from getting into the App Store, or preventing non-legitimate versions of Xcode from being able to create applications for the App Store.

    Source: Paulo Alto Networks
    This article was originally published in forum thread: XcodeGhost Malware Affects Legitimate iOS Apps and Here's What You Need to Know started by Anthony Bouchard View original post
    Comments 5 Comments
    1. kickerman65's Avatar
      kickerman65 -
      Why are these apps even still available in the Appstore? Why hasn't Apple pulled them?
    1. sheltons.iphone's Avatar
      sheltons.iphone -
      Quote Originally Posted by kickerman65 View Post
      Why are these apps even still available in the Appstore? Why hasn't Apple pulled them?
      How are they supposed to know which apps were created with a non apple version of Xcode?
    1. kelkel5313's Avatar
      kelkel5313 -
      BOSTON (REUTERS) - Apple Inc said on Sunday (Sept 20) that it was cleaning up its iOS App Store to remove malicious iPhone and iPad programs identified in the first large-scale attack on the popular mobile software outlet.

      The company disclosed the effort after several cyber security firms reported finding a malicious program dubbed XcodeGhost that was embedded in hundreds of legitimate apps.


      It is the first reported case of large numbers of malicious software programs making their way past Apple's stringent app review process. Prior to this attack, a total of just five malicious apps had ever been found in the App Store, according to cyber security firm Palo Alto Networks Inc.

      The hackers embedded the malicious code in these apps by convincing developers of legitimate software to use a tainted, counterfeit version of Apple's software for creating iOS and Mac apps, which is known as Xcode, Apple said.

      "We've removed the apps from the App Store that we know have been created with this counterfeit software," Apple spokesman Christine Monaghan said in an email. "We are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps." She did not say what steps iPhone and iPad users could take to determine whether their devices were infected.

      Palo Alto Networks Director of Threat Intelligence Ryan Olson said the malware had limited functionality and his firm had uncovered no examples of data theft or other harm as a result of the attack.

      Still, he said it was "a pretty big deal" because it showed that the App Store could be compromised if hackers infected machines of software developers writing legitimate apps. Other attackers may copy that approach, which is hard to defend against, he said. "Developers are now a huge target," he said.

      Researchers said infected apps included Tencent Holdings Ltd's popular mobile chat app WeChat, car-hailing app Didi Kuaidi and a music app from Internet portal NetEase Inc.The tainted version of Xcode was downloaded from a server in China that developers may have used because it allowed for faster downloads than using Apple's US servers, Mr Olson said.

      Chinese security firm Qihoo360 Technology Co said on its blog that it had uncovered 344 apps tainted with XcodeGhost.Tencent said on its official WeChat blog that the security flaw affects WeChat 6.2.5, an old version of its popular chatting app, and that newer versions were unaffected.

      A preliminary investigation showed there had been no data theft or leakage of user information, the company said.

      Apple declined to say how many apps it had uncovered.

      Quoted from Strait Time Singapore
    1. edwilk55's Avatar
      edwilk55 -
      Gr8...I had CamCard installed. I'd love to be able to know the origin of app so I could make sure nothing I download every comes from China! Other than the JB. LOL!
    1. kickerman65's Avatar
      kickerman65 -
      Quote Originally Posted by sheltons.iphone View Post
      How are they supposed to know which apps were created with a non apple version of Xcode?
      They can't. But if these two apps are already known to have Malware, then at the very least they could pull them.
  • Connect With Us

  • Twitter Box

  • Facebook