Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
What You Need to Know About iOS Malware XcodeGhost
- Thread starter MacRumors
- Start date
- Sort by reaction score
That's not the ****ing point! The ****ing point is that Apple let those apps slip into the App Store!
The magic keyword is: "outsourcing".
However sometimes the bill is higher than initially anticipated... but no worries: you generate a nice PowerPoint slide show, present it at the next stakeholder's meeting and be done with it.
That is certainly one of the points, and perhaps one of the bigger ones, but it's not the only point.
Yeah, but you connect all the points and it spells out: "Apple's Mac App Store quality control failed big time!"
Wanna make a bet how many iPhone users would actually enter their iCloud password AND Apple ID, if shown with a "familiar looking dialog"?
And since you seem to be in the know, quick! Tell me what happens with the onscreen keyboard if a legitim password dialog shows up!
You didn't know the answer without actually trying it? See what I mean?
P.S. The keyboard gets dark which hints that a legitim password dialog is being shown...
P.P.S. And no, I never realised that myself before reading that tip here on the forums a couple of months ago...
Like many others have commented I don't see how a 100 billion dollar company like Tencent "doesn't have the time" to download a working copy of XCode - heck even I've got one and I'm not even a real developer. Something very wrong about all of this. I don't believe that it's a time issue. I think there some other reason they were using X-code Ghost.
My feeling is that this is no accident at all. That this is one of those zillions of hacks the Chinese hack team (or whatever it has been called, remember the Obama Chinese meeting about this... It's not because it is a minor issue..) has been doing all over the last year. The whole scenario here makes NO SENSE OTHERWISE.
Apple can't test every path, simple as that. The code must have been heavily obfuscated and not in a regular execution path.
Last edited:
The point appears to be whatever you want it to be, but it's worth bearing in mind that 'infected' is a strong word in this case. The infected apps don't really do anything that the iOS APIs don't already allow. The data these apps collect is data that Apple allows apps to collect. The malware isn't using any exploit or vulnerability in iOS. Even collecting clipboard data isn't sketchy - apps must be able to do it in order to function. So making a drama about this is being oblivious to the challenges. Apple cannot automatically detect and ban apps that collect freely collectible data.
Apple's deterrent against apps doing permitted-but-sketchy things like this, is the accountability of the developers. Each app on the App Store can be traced to a bank or credit account. It's not impossible to get bad code into the App Store - in fact its very easy - the difficult part is getting away with it afterwards. The problem here is relatively innocuous code with no chain of accountability can turn bad once it's on the phones and there's nobody to trace it to. Previously we have that chain of accountability. Here we don't.
It's difficult to know how to stop this. Even using only signed Xcode, negligent developers could still use bad plugins or bad code libraries or employ bad coders. For the moment, we have to rely on the appropriate action to be taken against the idiots (or 'bad actors') behind this, as deterrent for the same thing happening again.
NO ITS NOT THE POINT; It got in through Xcode, which is probably the reason it got in.
The fact that a mallware of Xcode was downloaded by multinationals from those hack sites instead of directly from Apple is beyond belief; something really weird went on there and I see Government hacker all over this crap.
There's a reason there has been a meeting between Obama and Chinese about this kind of thing and it is not because it doesn'T happen...
There is something not quite right about this list from Fox-IT. I checked six random apps on the list and every one is still available in the App Store and has not been recently updated.
Now that Apple has made a statement that they have removed the offending apps this means either:-
a) Fox-IT's list is wrong.
b) Apple is lying that they have removed the rogue apps (or maybe the Marketing Dept got ahead of themselves).
c) Apple has missed some of them, but somebody at Apple must have seen this list too.
Because somewhere there is one guy sitting in an office and he decided to be lazy. Humans are always the weakest link.
Apple DID sign Xcode, but the hackers don't need to modify the signed executable, nor libraries, to make their trick work. What they need to do is simply create a customized library within user workspace paths, and replace the default project template with one that will preload that customized library. The Apple's signature remains intact, but any new project created referring to that template will have malicious code injected by default.
Now let's assume that Apple had also sign the whole Xcode package and no one can modify anything within the Xcode package anymore. But Apple CAN'T forbid you to use 3rd-party libraries (for example, Unity) in your projects. The hackers could easily breach and distribute these 3rd-party libraries, and anyone who use these breached libraries will still have their compiled Apps infected. Different source, same result.
Technically, Apple CAN'T distinguish whether your App should or shouldn't do such things as collect user data and send back to some servers; it's possible that you're doing this intentionally, unless you've declared that your App is networking-less, such as flashlight. There is nothing wrong that an organization will ask their team members to use customized project template. And there is nothing wrong that an App will collect user data and send back for analyzing. If this package is distributed solely within one organization, to collect user data by default, as an enterprise policy, no one can complain that it would be a "problem" at all.
Seriously. I've been wondering for over a month now how someone accessed one of my accounts when I tend to be very careful. Apparently logging into said account using Mercury was the origin of the breach. I utilized the ad blocking and image blocking features to browse when in areas with poor internet speeds.
Maybe Apple now wakes up and does 2 things for Chinese customers:
1) faster servers in China (take a cue from Microsoft!). It shouldn't take 24+ hours to download anything in the 2 - 5 gig range on a fiber connection in Shanghai.
2) revamp the App Store's connectivity to be more rugged. It's not fun to restart the entire download after a couple of hours just because there's some sudden connection reset the App Store cannot handle. Or to be stuck on "waiting" for hours...
1) faster servers in China (take a cue from Microsoft!). It shouldn't take 24+ hours to download anything in the 2 - 5 gig range on a fiber connection in Shanghai.
2) revamp the App Store's connectivity to be more rugged. It's not fun to restart the entire download after a couple of hours just because there's some sudden connection reset the App Store cannot handle. Or to be stuck on "waiting" for hours...
Outsourced some work to a dude they found on a Chinese freelancer-site?
These days, the "supply chain" for most stuff is absolutely terrifyingly long and complex.
I bet, for the iPhone hardware - if printed out as a diagram - it would fill multiple A0 pages.
Maybe their internet makes accessing Apple.com becomes a super hard task.
Plus current international situation.
You only need to take precautions with accounts that you used with that app.
Did you login to another account whilst on that app?
If no, then you don't need to worry. At least, for this cause.
I've also had a look and some of the offending apps are still preset. Would love to know why that is, anyone got any ideas?
