A new strive of malware has been detected residing in some extremely popular apps ob the iOS App Store. Total of 39 Apps on the store are given the name “XcodeGhost'” because of the fact that it’s distributed through a malicious build of Apple’s xcode integrated development environment – is the latest malware to befall Apple’s iOS Store, and found its existence in the most popular WeChat messaging application as well as Didi Kuaidi, the main rival to ride-sharing service Uber in the Chinese market.
What is XcodeGhost?
As said it is an iOS malware arising from a malicious version of Xcode, official tool of Apple for developing iOS and OS X apps. How it’s distributed? This malicious version of Xcode was actually updated to Chinese cloud file sharing service Baidu and downloaded by some iOS developers in China. Developers then unknowingly compiled iOS pps using the modified Xcode IDE and distributed those infected apps through the App Store. Resulting, a big effect on genuine iOS apps become malicious.
This won’t be the first time iOS App Store have fallen fould of malware, but this is new strain is extremely unique in the way that it manages to inject itself into apps without the developer’s knowledge. Malware, however which is been found within iOS apps have been introduced into the ecosystem with the explicit intent of the enthusiast, meaning that the infected app has been uploaded to the Apple Store purely to distribute the virus. Those apps then managed to pass through Apple’s code review process, enabling iOS users to install or update the infected apps on their devices.
Devices such as iPhone, iPad and iPod touch models running an iOS version compatible with any of the infected apps are indeed affected, and yes, malware affects both stock and jailbroken devices. XcodeGhost is a bit different in the fact that it’s actually injected into the app without the kknowledge of a developer through a malicious build of Xcode, downloaded from Baidu. It is actually an unbelievably sophisticated method of pushing the virus out there on iOS devices as it piggybacks on the reputation of extremely popular and trusted apps – trending in China, like WeChat. XcodeGhost potentially affects more than 500 million iOS users, primarily because messaging app WeChat is very popular in China and the Asia-Pacific region.
It seems that a number of Chinese iOS/OS X developers have been utilizing Baidu’s services to grab the installer, therefore unknowingly taking ownership of the infected software, which can and do collect information about devices and then encrypt and upload that data to command and control (C2) servers run by attackers through the HTTP protocol. The system and app info that cab be grabbed includes:
- Current time
- Current infected app’s name
- The app’s bundle identifier
- Current device’s name and type
- Current system’s language and country
- Current device’s UUID
- Network type
Palo Alto Networks also discovered that infected iOS apps can receive commands from the attacker through the C2 server to perform the following actions:
- Prompt a fake alert dialog to phish user credentials;
- Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps;
- Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.
All the files relating to Xcode have now been removed from Baidu’s servers after the company was alerted. However, the method of infection may be more sophisticated and extremely stealth-like, but the trojen itself isn’t so subtle abut how it does its work. According to Claud Xiao, Senior Malware Researcher at Palo Alto Networks, XcodeGhost can “be remotely controlled by the attacker to phish or exploit local system or app vulnerabilities”.
Just few days ago it was admited that iOS Apps and its platform can’t be affected by malware, beacuse of Apple’s best in protection and security. For those of you believing that iOS wasn’t capable of hosting malware or malicious installations, this news will really make sense that should come as a serious concern. Here’s is the complete list of apps that have been compromised by XcodeGhost, from where you can check them out right the link below:
Can we protect our iOS devices and apps against XcodeGhost?
Obviously, for that you iOS users should immediately uninstall any infected iOS app listed here on their devices, or update to a newer version that has removed the malware. Resetting your iCloud password, and any other passwords inputted on your iOS device, is also strongly recommended as a precautionary measure.
For iOS App Developers, they should install official versins of Xcode 7 or Xcode 7.1 beta from Apple’s website for free and avoid downloading the software from unofficial sources. What is making sense here is that not only developers, but genuine iOS Apps should only be booted from official sources, otherwise, malware’s like XcodeGhost or another will defenitely hit your iOS smartphones and tablets easily.