What You Need to Know About iOS Malware XcodeGhost

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Sep 20, 2015.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    [​IMG]
    Earlier this week, Chinese developers disclosed new iOS malware called XcodeGhost on microblogging service Sina Weibo. U.S. cybersecurity firm Palo Alto Networks has since published details about the malware.

    MacRumors has created a FAQ so you can learn more about XcodeGhost and how to keep your iOS devices protected.

    What is XcodeGhost?
    XcodeGhost is a new iOS malware arising from a malicious version of Xcode, Apple's official tool for developing iOS and OS X apps.

    How is XcodeGhost distributed?
    A malicious version of Xcode was uploaded to Chinese cloud file sharing service Baidu and downloaded by some iOS developers in China.

    Chinese developers then unknowingly compiled iOS apps using the modified Xcode IDE and distributed those infected apps through the App Store.

    Those apps then managed to pass through Apple's code review process, enabling iOS users to install or update the infected apps on their devices.

    Which devices are affected?
    iPhone, iPad and iPod touch models running an iOS version compatible with any of the infected apps. The malware affects both stock and jailbroken devices.

    Which apps are affected?
    Palo Alto Networks has shared a full list of over 50 infected iOS apps, including WeChat, NetEase Cloud Music, WinZip, Didi Chuxing, Railway 12306, China Unicom Mobile Office and Tonghuashun.

    How many users are affected?
    XcodeGhost potentially affects more than 500 million iOS users, primarily because messaging app WeChat is very popular in China and the Asia-Pacific region.

    Which unofficial versions of Xcode are affected?
    All unofficial versions between Xcode 6.1 and Xcode 6.4.

    How does XcodeGhost put my iOS devices at risk?
    iOS apps infected with XcodeGhost malware can and do collect information about devices and then encrypt and upload that data to command and control (C2) servers run by attackers through the HTTP protocol. The system and app information that can be collected includes:

    Current time
    Current infected app's name
    The app's bundle identifier
    Current device's name and type
    Current system's language and country
    Current device's UUID
    Network type

    Palo Alto Networks also discovered that infected iOS apps can receive commands from the attacker through the C2 server to perform the following actions:

    Prompt a fake alert dialog to phish user credentials;
    Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps;
    Read and write data in the user's clipboard, which could be used to read the user's password if that password is copied from a password management tool.

    Can XcodeGhost affect users outside of China?
    Yes. Some of the iOS apps infected with XcodeGhost malware are available on the App Store in countries outside of China. CamCard, for example, is a popular business card reader and scanner app available in the United States and several other countries, while WeChat is a popular messaging app in the Asia-Pacific region.

    Why would some Chinese developers download Xcode from Baidu?
    Xcode is a large file that can take a long time to download from Apple's servers in China, leading some developers to download Xcode from unofficial sources.

    How are Apple and Chinese developers dealing with XcodeGhost?
    Palo Alto Networks claims that it is cooperating with Apple on the issue, while multiple developers have updated their apps to remove the malware.

    Apple has since issued the following statement to Reuters:
    How do I protect myself against XcodeGhost?
    iOS users should immediately uninstall any infected iOS app listed here on their devices, or update to a newer version that has removed the malware. Resetting your iCloud password, and any other passwords inputted on your iOS device, is also strongly recommended as a precautionary measure.

    Developers should install official versions of Xcode 7 or Xcode 7.1 beta from Apple's website for free and avoid downloading the software from unofficial sources.

    Article Link: What You Need to Know About iOS Malware XcodeGhost
     
  2. shanmugam macrumors 68020

    shanmugam

    Joined:
    Sep 24, 2008
    Location:
    Blazer town!
    #2
    darn it, I thought only android gets malware.

    wechat is used in many countires :(
     
  3. Kajje macrumors 6502a

    Kajje

    Joined:
    Dec 6, 2012
    Location:
    Asia
    #3
    If that Chinese hacker has enough skills to bypass the Appstore review process and infect 500 million devices I'm wondering if this is just the tip of the iceberg.
     
  4. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #4
    I thought that apps cannot access the device’s UUID anymore? Does anyone know how they accomplish this? Presumably, on iOS these apps don’t do anything that normal apps couldn’t do. The difference just seems to be that these apps are doing something the developer had not intended.

    Very sloppy that a major app like WeChat is affected.
     
  5. netwalker macrumors regular

    netwalker

    Joined:
    Jul 28, 2007
    #5
    Can't you just list all 39 apps? Looks like the servers from Palo Alto Networks can't handle it.
     
  6. iPhil macrumors 68040

    iPhil

    #6
    Listed here link is dead.. @ the bottom of the story ..
     
  7. arn macrumors god

    arn

    Staff Member

    Joined:
    Apr 9, 2001
    #7
    Infected iOS apps
    网易云音乐 2.8.3
    微信 6.2.5
    讯飞输入法 5.1.1463
    滴滴出行 4.0.0.6-4.0.0.0
    滴滴打车 3.9.7.1 – 3.9.7
    铁路12306 4.5
    下厨房 4.3.2
    51卡保险箱 5.0.1
    中信银行动卡空间 3.3.12
    中国联通手机营业厅 3.2
    高德地图 7.3.8
    简书 2.9.1
    开眼 1.8.0
    Lifesmart 1.0.44
    网易公开课 4.2.8
    马拉马拉 1.1.0
    药给力 1.12.1
    喜马拉雅 4.3.8
    口袋记账 1.6.0
    同花顺 9.60.01
    快速问医生 7.73
    懒人周末
    微博相机
    豆瓣阅读
    CamScanner
    CamCard
    SegmentFault 2.8
    炒股公开课
    股市热点
    新三板
    滴滴司机
    OPlayer 2.1.05
    电话归属地助手 3.6.5
    愤怒的小鸟2 2.1.1
    夫妻床头话 1.2
    穷游 6.6.6
    我叫MT 5.0.1
    我叫MT 2 1.10.5
    自由之战 1.1.0

    Fox-IT (fox-it.com), a Netherlands based security company, checked all C2 domain names from our reports in their network sensors and has found thousands of malicious traffic outside China. According to their data, these iOS apps were also infected:

    Mercury
    WinZip
    Musical.ly
    PDFReader
    guaji_gangtai en
    Perfect365
    网易云音乐
    PDFReader Free
    WhiteTile
    IHexin
    WinZip Standard
    MoreLikers2
    CamScanner Lite
    MobileTicket
    iVMS-4500
    OPlayer Lite
    QYER
    golfsense
    同花顺
    ting
    installer
    下厨房
    golfsensehd
    Wallpapers10000
    CSMBP-AppStore
    礼包助手
    MSL108
    ChinaUnicom3.x
    TinyDeal.com
    snapgrab copy
    iOBD2
    PocketScanner
    CuteCUT
    AmHexinForPad
    SuperJewelsQuest2
    air2
    InstaFollower
    CamScanner Pro
    baba
    WeLoop
    DataMonitor
    爱推
    MSL070
    nice dev
    immtdchs
    OPlayer
    FlappyCircle
    高德地图
    BiaoQingBao
    SaveSnap
    WeChat
    Guitar Master
    jin
    WinZip Sector
    Quick Save
    CamCard
     
  8. SSD-GUY macrumors 6502a

    Joined:
    Sep 20, 2012
    Location:
    London, UK
    #8
    So... It begins.

    iOS has been breached through the one thing that kept us safe. The App Store.
     
  9. awang macrumors newbie

    Joined:
    Sep 20, 2015
    #9
    While WeChat would be the one that largely distributed.

    But anyway, the server is took down, international users will not be greatly affected by this but Chinese users would probably hacked like Netease music and 12306(the gov app to buy train tickets).

    This is not a bad thing, hope Apple could learn more about this even they claim iOS and OS X are more secure, but they need to suffer from the incidents like this to be strong.
     
  10. Joe Rossignol Editor

    Joe Rossignol

    Staff Member

    Joined:
    May 12, 2012
    Location:
    Toronto
    #10
    Palo Alto Networks conveniently goes down a few minutes after I published the article. Sorry guys. Thankfully @arn found a cached list above.
     
  11. jmantn macrumors 6502

    Joined:
    Mar 13, 2012
    Location:
    Tn
    #11
    Seriously what developer who knows anything about security is going to download an IDE from a non official source?

    That's like downloading an OS from The Pirate Bay and being shocked the file was injected with malicious code.
     
  12. KALLT, Sep 20, 2015
    Last edited: Sep 20, 2015

    KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #12
    I wouldn’t say that. All apps can have a network connection and can thus collect data. Think of all the freemium games or even Facebook that do just this and worse. In addition, apps that embed web content in them can load and display pretty much anything and ask the user to divulge information. This harms these apps and developers much more than the App Store. It is also proof that the security model of the App Store is pretty solid, because these apps can barely collect any data from the system and only the data the user divulges themselves. The bigger lesson is: be aware that any app can collect your data, so don’t be negligent. This concerns all apps and it is a good reminder that the App Store is not a playground.
     
  13. deviant macrumors 65816

    Joined:
    Oct 27, 2007
    #13
    i'm sorry but how can a developer be such an idiot (please don't ban me, there's no other word to describe patient's condition) to download Xcode from a chinese cloud file sharing service????
     
  14. awang macrumors newbie

    Joined:
    Sep 20, 2015
    #14
    They said that the downloading speed is low.... As for Android, no way to download the official IDE without VPN.....
     
  15. Weaselboy macrumors Core

    Weaselboy

    Joined:
    Jan 23, 2005
    #15
    My thought is I am all done with any company that would use an Xcode version they got from a file sharing site rather than Apple directly. I would never trust them again.
     
  16. mariusignorello macrumors 6502a

    Joined:
    Jun 9, 2013
    #16
    Just how I like to start off my Sunday morning. App Store security gets bypassed.

    Download Xcode from Apple's servers... it's worth the wait time.
     
  17. nostaws macrumors 6502

    nostaws

    Joined:
    Jan 14, 2006
    #17
    Mercury - if it is the web browser - that is huge. Mercury is on a lot of devices.

     
  18. Weaselboy macrumors Core

    Weaselboy

    Joined:
    Jan 23, 2005
    #18
    Well written FAQ Joe... thanks.
     
  19. nigameash macrumors 6502

    Joined:
    Dec 6, 2008
    Location:
    Space: The Final Frontier
    #19
    What kind of a timeframe are we looking at for infected apps? I'm assuming these apps haven't been infected for months and it's a lot more recent.
     
  20. furi0usbee, Sep 20, 2015
    Last edited by a moderator: Sep 20, 2015

    furi0usbee macrumors 68000

    furi0usbee

    Joined:
    Jul 11, 2008
    #20
    China...

    Right? How hard is it to type apple.com and go from there?
     
  21. akuma13 macrumors 6502a

    akuma13

    Joined:
    Jan 10, 2006
    #21
    It's funny and scary that after years of Apple avoiding major viruses and malware on OSX, iOS will get the brunt of it. This is only the beginning.
     
  22. chucker23n1 macrumors 6502

    chucker23n1

    Joined:
    Dec 7, 2014
    #22
    And how hard is it to actually read the original article, which addresses this?

    Why would some Chinese developers download Xcode from Baidu?
    Xcode is a large file that can take a long time to download from Apple's servers in China, leading some developers to download Xcode from unofficial sources.​
     
  23. Sasparilla macrumors 6502

    Joined:
    Jul 6, 2012
    #23
    This isn't too surprising, some of the documents released by Snowden pointed out the CIA (in cahoots with the NSA?) had been attempting to compromise Xcode so that back doors would be inserted into anything compiled with it:

    https://theintercept.com/2015/03/10/ispy-cia-campaign-steal-apples-secrets/

    Once you compromise the compiler its game over (much like compromising the BIOS / firmware).

    Whether or not the CIA were eventually successful is unknown. This is one of those things where Apple could open source (but not open license) their source code (and future changes) to critical things (like Xcode) so it could be checked/validated in the open (just to ensure the govt doesn't do some secret order they're forced to oblige with).

    As encryption expert Bruce Schneier points out: "There's a persistent rumor going around that Apple is in the secret FISA Court, fighting a government order to make its platform more surveillance-friendly -- and they're losing."

    Mentioned here: https://www.schneier.com/blog/archives/2015/09/fbi_and_apples_.html
     
  24. Mac Fly (film) macrumors 65816

    Mac Fly (film)

    Joined:
    Feb 12, 2006
    Location:
    Ireland
    #24
    Well thankfully I never used any of these apps.
     
  25. Plutonius macrumors 603

    Plutonius

    Joined:
    Feb 22, 2003
    Location:
    New Hampshire
    #25
    Why can't Apple sign the Xcode so it will only work if it's downloaded from Apple servers ?
     

Share This Page