What You Need to Know About iOS Malware XcodeGhost

[Shirasaki]

If I remember correctly, Apple used WeChat in a demo for the Apple Watch. This is not going to end well.

Apple uses WeChat in their demo when they first announce Apple Watch when releasing iPhone 6 /6 Plus.

 

[snowmoon]

For those that think apple should have caught this when the apps were submitted I will say that it's hard to do so. Obviously they test for functionality, they do basic scans for known issues, and they probably use static analysis to look for known malicious patterns; beyond those tools it starts to become impossible to evaluate every branch of code especially if the code wants to stay hidden. This is why iOS is a layered approach and there is no evidence that the malware was able to compromise the app sandbox.

 

[W i n t e r m u t e]

Not as much of a problem any more since iOS 8. The most frequent case of copying passwords — browsers — will use an extension now. Other apps are slowly following suit.

That doesn't solve the problem... Browser extensions open up the pantheon of problems due to the XARA exploits. Go read up on it. Apple needs to create a secure method to pass such data.

 

[mmm chocolate]

Why is anyone surprised that the Chinese are cutting corners?

 

[zone23]

Well its good to know that developers who spend months coding apps saved 30 minutes on their xcode download. Good job guys.

 

[Ethosik]

Wait, WinZip is on the list?! What else can open .zip files on the iPad?

 

[MacUser09]

I had three of these apps on my devices: CamScanner, CamCard and OPlayer. Very worrying.

 

[You are the One]

I'm suprised nobody here put 2 and 2 together yet. This isn't a typical case of malware insertion. This is government sponsored. The up side is that people don't need to worry about their info being compromised, but the downside is that it shows that the Chinese government is actively trying to subvert their users (as if we didn't already know that though).

I agree, might be government sponsored. Top suspects would be NSA/GCHQ, the most well funded and aggressive hacking groups in history.

 

[Rafterman]

Another site is reporting Angry Birds 2 as well.

 

[chucker23n1]

That doesn't solve the problem... Browser extensions open up the pantheon of problems due to the XARA exploits. Go read up on it. Apple needs to create a secure method to pass such data.

Hm. Are app extensions actually affected by this? The extensions supported in iOS are sandboxed; their communication with the host app is quite limited.

 

[chucker23n1]

Why are most of your posts confrontational? Miserable much?

I replied to a "how hard is it?" post with "how hard is it?", since I found it a bit ironic that the original poster either didn't read the article in full (which, frankly, isn't that long), or disregarded it. Now I'm the rude one? OK.

 

[Chupa Chupa]

Another site is reporting Angry Birds 2 as well.

Just saw that @ 9to5mac. The most stunning of the lot of alleged affected apps. 9to5 says all affected apps - whichever those are for real - have been pulled from the App Store and replaced, or is in process of replacing, with "safe" versions. It recommends uninstalling affected apps and reinstalling.

I hope Apple contacts those who d/l'd bad apps rather that just push an update. Not everyone has auto update on or regularly updates. Its Apple's responsibility to inform.

 

[C DM]

Yeah, but you connect all the points and it spells out: "Apple's Mac App Store quality control failed big time!"

Yes, as mentioned, one of the bigger things it spells, but not the only one.

 

[C DM]

Apple can't test every path, simple as that. The code must have been heavily obfuscated and not in a regular execution path.

While certainly true about testing every possibility, it seems like there was a way to do it with this one given that they have been able to somehow find and disable the affected apps.

 

[nutjob]

It's a good thing we gave up (ie never had) control over what applications we can install on our phones so that Apple could keep us safe.

 

[nutjob]

Apple can't test every path, simple as that. The code must have been heavily obfuscated and not in a regular execution path.

Then what's the point of Apple controlling which apps you can install? This lays bare Apple's intentions here: it's not about security (because Apple can't actually guarantee that) it's so Apple can control their platform to maximise profits and reduce competition, all at the expense of their customers.

 

[rumourthis]

Why is CamCard still available in the App Store?

 

[netnothing]

Just saw that @ 9to5mac. The most stunning of the lot of alleged affected apps. 9to5 says all affected apps - whichever those are for real - have been pulled from the App Store and replaced, or is in process of replacing, with "safe" versions. It recommends uninstalling affected apps and reinstalling.

I hope Apple contacts those who d/l'd bad apps rather that just push an update. Not everyone has auto update on or regularly updates. Its Apple's responsibility to inform.

According to a comment on that post.....the Angry Birds 2 is not the US version. Sure would be nice if Apple would get ahead of this instead of the panic created by the media.

-Kevin

 

[MacUser09]

Have Apple put out any advice regarding this? I can't see any. I deleted three of the affected apps this morning, and changed my iCloud password, only to see that they have added another app to the list, "Angry Birds".
Looks like I will have to delete that and change p/w again.

 

[Rafterman]

According to a comment on that post.....the Angry Birds 2 is not the US version. Sure would be nice if Apple would get ahead of this instead of the panic created by the media.

-Kevin

Yes, it has been completely unclear exactly what stores and versions were affected.

 

[jhlane27]

Looks like WeChat is still available here in the US. Last update was on 9/11/15, and no comment about the malware vulnerability. Not cool.

 

[info]

Mercury - if it is the web browser - that is huge. Mercury is on a lot of devices.

I'm not sure but this article by The Register implies that Mercury, in fact, does refer to the Mercury Browser:

about:reader?url=http%3A%2F%2Fwww.theregister.co.uk%2F2015%2F09%2F21%2Ficloud_phishing_attack_hooks_39_ios_apps_most_popular_message_client%2F&tabId=11

 

[rockinrony]

Apple maps fiasco,
iphone 5 battery problem recall,
iphone 5c failure,
ios 7.1 icons re-color,
shift key confusion,
Apple watch failure,
Macbook pro display recall,
iphone 6+ camera recall,
now XCODE Ghost

Apple is surely not "reliable Apple" anymore. Its just about market share and make money

Very sad to see new Apple

 

[Rafterman]

Apple maps fiasco,
iphone 5 battery problem recall,
iphone 5c failure,
ios 7.1 icons re-color,
shift key confusion,
Apple watch failure,
Macbook pro display recall,
iphone 6+ camera recall,
now XCODE Ghost

Apple is surely not "reliable Apple" anymore. Its just about market share and make money

Very sad to see new Apple

When you start to become more popular and sell more product, you make more mistakes. Nothing unusual there.

 

[duffman9000]

From a WeChat blog post:

The WeChat tech team has extensive experience combating attempts to hack our systems.

Bull. Show me who is the fool that decided to download an unofficial version of XCode? I bet this is the same person who is downloading OS X ISOs for the hacintoshes or buys $5 versions of Windows from the local alley merchant. It's safe because the checksums are the same!