Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

What You Need to Know About iOS Malware XcodeGhost

HiRez said:
I agree, that is absolutely ridiculous and shameful for those developers. And all to save a few minutes on the download? Come on. Go eat lunch while it downloads (that's what I do for Xcode updates) or do it overnight if necessary, but no good developer would download their main dev environment from any file sharing site. I'd say they deserve what they get but millions of users are going to pay the price for their laziness.
Click to expand...

You have no idea how slow it is to download it from the mac app store in China. But I'm not sure if it is because of GFW or Apple's server distribution.
 
I have been in China for quite some time and Apple server is not slow here. I get good speed of 9 mbps from Apple. Slow speed is an excuse from the application developers.
 
MacRumors said:



xcode-6.png
Earlier this week, Chinese developers disclosed new iOS malware called XcodeGhost on microblogging service Sina Weibo. U.S. cybersecurity firm Palo Alto Networks has since published details about the malware.

MacRumors has created a FAQ so you can learn more about XcodeGhost and how to keep your iOS devices protected.

What is XcodeGhost?
XcodeGhost is a new iOS malware arising from a malicious version of Xcode, Apple's official tool for developing iOS and OS X apps.

How is XcodeGhost distributed?
A malicious version of Xcode was uploaded to Chinese cloud file sharing service Baidu and downloaded by some iOS developers in China.

Chinese developers then unknowingly compiled iOS apps using the modified Xcode IDE and distributed those infected apps through the App Store.

Those apps then managed to pass through Apple's code review process, enabling iOS users to install or update the infected apps on their devices.

Which devices are affected?
iPhone, iPad and iPod touch models running an iOS version compatible with any of the infected apps. The malware affects both stock and jailbroken devices.

Which apps are affected?
Palo Alto Networks has shared a full list of over 50 infected iOS apps, including WeChat, NetEase Cloud Music, WinZip, Didi Chuxing, Railway 12306, China Unicom Mobile Office and Tonghuashun.

How many users are affected?
XcodeGhost potentially affects more than 500 million iOS users, primarily because messaging app WeChat is very popular in China and the Asia-Pacific region.

Which unofficial versions of Xcode are affected?
All unofficial versions between Xcode 6.1 and Xcode 6.4.

How does XcodeGhost put my iOS devices at risk?
iOS apps infected with XcodeGhost malware can and do collect information about devices and then encrypt and upload that data to command and control (C2) servers run by attackers through the HTTP protocol. The system and app information that can be collected includes:

Current time
Current infected app's name
The app's bundle identifier
Current device's name and type
Current system's language and country
Current device's UUID
Network type

Palo Alto Networks also discovered that infected iOS apps can receive commands from the attacker through the C2 server to perform the following actions:

Prompt a fake alert dialog to phish user credentials;
Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps;
Read and write data in the user's clipboard, which could be used to read the user's password if that password is copied from a password management tool.

Can XcodeGhost affect users outside of China?
Yes. Some of the iOS apps infected with XcodeGhost malware are available on the App Store in countries outside of China. CamCard, for example, is a popular business card reader and scanner app available in the United States and several other countries, while WeChat is a popular messaging app in the Asia-Pacific region.

Why would some Chinese developers download Xcode from Baidu?
Xcode is a large file that can take a long time to download from Apple's servers in China, leading some developers to download Xcode from unofficial sources.

How are Apple and Chinese developers dealing with XcodeGhost?
Palo Alto Networks claims that it is cooperating with Apple on the issue, while multiple developers have updated their apps to remove the malware.

Apple has since issued the following statement to Reuters:How do I protect myself against XcodeGhost?
iOS users should immediately uninstall any infected iOS app listed here on their devices, or update to a newer version that has removed the malware. Resetting your iCloud password, and any other passwords inputted on your iOS device, is also strongly recommended as a precautionary measure.

Developers should install official versions of Xcode 7 or Xcode 7.1 beta from Apple's website for free and avoid downloading the software from unofficial sources.

Article Link: What You Need to Know About iOS Malware XcodeGhost
Click to expand...
Thank you guys for posting such a detailed report about this. Im seriously impressed. I wouldnt have known where to turn to find this info. Props.
 
  • Like
Reactions: SHNXX and NY Guitarist
caoxiang said:
You have no idea how slow it is to download it from the mac app store in China. But I'm not sure if it is because of GFW or Apple's server distribution.
Click to expand...
I don't care how slow it is. If it takes a week, you wait, because this is what happens when you take shortcuts. Maybe there's something Apple could or should be doing to speed up the process, but that's no excuse for downloading such critical software from an untrustable file-sharing site. It's absurdly stupid.
 
  • Like
Reactions: marmiteturkey and iMacmatician
Weaselboy said:
My thought is I am all done with any company that would use an Xcode version they got from a file sharing site rather than Apple directly. I would never trust them again.
Click to expand...
I would hope that Apple has Developers agree to ONLY use Apple's Developer Tools and any breaches such as this one should get the developer and all its ads suspended immediately. All users that downloaded any copies of the Developer's products should be notified of the problem with the developer.
 
arn said:
Infected iOS apps
中信银行动卡空间 3.3.12
Click to expand...
Now that's a bugger, I was about to download that app!

Sorry Chinese brothers, no disrespect meant, but that title looks like Tetris 3.3.12 to me.
 
I think the thing i need to know is to stay away from unofficial releases.

Apple can tell between whats official xCode, and what's not, they must.
 
haruhiko said:
The Great Chinese Firewall makes any connection in and out of China slow. They do this even to websites in Hong Kong. It's easy to blame China but Apple could have: 1. Make download of XCode faster by improving the content delivery network in China, hey it's hundreds of million of users there; 2) Implement mandatory checking of submitting binaries and reject apps that are not compiled through signed copies of XCode.
Click to expand...
You are blaming Apple for a Chinese firewall?
Yes, Apple has responsibilities, but not so much...

JimmyHook said:
Everyone needs to calm down. It's not that big of a deal. Mercury Web Browser is still live in the App Store indicating it isn't affected
Click to expand...
I did notice that....
 
  • Like
Reactions: KPOM
Downloading from Apple's servers in China actually isn't that slow. I'm in Xishuangbanna right now, and can get a solid 4 MB/s from Apple's servers on hotel Wi-Fi.
 
bwhli said:
Downloading from Apple's servers in China actually isn't that slow. I'm in Xishuangbanna right now, and can get a solid 4 MB/s from Apple's servers on hotel Wi-Fi.
Click to expand...
Lucky you, I had a holiday there back in 2001; beautiful part of the world! There was no hotel wifi then, I can tell you.
 
By the way, this baidu repository isn't some shady website. Baidu is the "Google" of China, although it's an impoverished, diseased, feeble minded man's version of Google.
 
  • Like
Reactions: ackmondual and Shirasaki
SHNXX said:
By the way, this baidu repository isn't some shady website. Baidu is the "Google" of China, although it's an impoverished, diseased, feeble minded man's version of Google.
Click to expand...
Meaning it is shady. As long as it is behind the great firewall of China, it is suspect.
 
Zirel said:
Now, the part that they (news outlets) don't want you to know:

1. Infected Apps can't surpass AppStore constraints (they can't, for instance, erase your device memory, or turn off your device, they are only able to do the inoffensive things that a normal app can)

2. Infected Apps can't go out of their sandbox, for example:

-> they can't access other apps passwords

-> they can't access other apps files

-> they can't access icloud account credentials

-> they can't send imessages, sms, take pictures without you seeing, etc.

-> they can't hack into your credit cards or apple pay.

> they can't access your browsing history, or photos

So, it's even if the Chinese hackers wanted to detonate a nuke, it wouldn't pass outside the box each App lives on.

But as always, media blows this out of proportion... it's Apple!
Click to expand...


Thank you for the helpful info. I had the infected camcard on my iPhone. I've uninstalled it and also change my iCloud password. Just to be safe. So were clear, I don't to change any other passwords?
 
At some point, Mercury Web Browser stopped being updated on my iPhone, likely because of the change from iLegendSoft to Lucy Ding. From a twitter post I saw of the former, Lucy Ding is one of their employees. That (free) version of Mercury (9.1.0) is really cool (ad blocking, fast, print to PDF, bookmarks imports/exports, search in page, vertical scrollbar, and other goodies). It is no longer available on the App store because a newer (poorly reviewed) version has replaced it. How do we know whether that older version is safe? Apple really needs to provide some tool to check our older apps: don't know if it's possible but that would definitely help. I don't know what other browser out there offers the features I listed, this is really annoying!
 
I downloaded musical.ly when it hit popularity with the don't judge challenge? It was only used for about 10 minutes but I think it was installed for a day or two and hasn't been installed since. Am I still at risk even though it was months ago and I've recently upgraded to iOS 9?
 
PrinceKris said:
I keep getting emails about my cards being removed from apple pay but I didn't remove any cards and they are still on the phone. Could this be part of the malware problem too?
Click to expand...

I got the same thing, however, I believe it was tied to me resetting my iCloud password. Did you reset anything with your iCloud yet?
 
Thankfully, the only one of those apps that I've downloaded before is WeChat, and that was literally years ago. So suss that a major app like that would have been built on a bootleg version of Xcode though. Something doesn't feel right there.

Damn it, China.
 
  • Like
Reactions: Shirasaki
I think that this being the first malware apple has done a commendable job. It's the most used OS with a single version. Considering the hack it hardly collects any sensitive data at all and is a bit lame by malware standards!

There are some government peeps lining the pockets of top coders to make this version of x code and that's all they get. NSA must be pissed to be so locked out, they don't have these issues on Android though it's open season there.
 
jmantn said:
Seriously what developer who knows anything about security is going to download an IDE from a non official source?

That's like downloading an OS from The Pirate Bay and being shocked the file was injected with malicious code.
Click to expand...

Sorry, but you missed the entire point! The point is not the source of the malware, but that the malware infected apps got into the App Store - through Apple's quality control! - in the first place!

That's the point of the story!
 
  • Like
Reactions: ackmondual
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back