What You Need to Know About iOS Malware XcodeGhost

[PBRsg]

Apple should not allow Baidu to distribute a malicious version of Xcode. Apple should know that Baidu is distributing Xcode. Then some Apple employee should check this Xcode whether it is the original. Problem solved!

Wrong. Apple cannot check every source of Xcode; it could get passed around on a thumb drive. What Apple can do is make sure that only legitimate versions of Xcode can be used to compile apps that are sold the app store. Time to improve the digital signature process. If Apple cannot control that, maybe developers can upload the codebase to Apple and the last compilation can be done on their servers.

 

[bdhokie]

i'm sorry but how can a developer be such an idiot (please don't ban me, there's no other word to describe patient's condition) to download Xcode from a chinese cloud file sharing service????

Apple should ban these developers from the App store for being so incredibly irresponsible.

 

[iSee]

So... It begins.

iOS has been breached through the one thing that kept us safe. The App Store.

Well, we're still pretty safe, thanks to iOS sand boxing. The generally interesting datum is the UUID, which actually isn't that interesting any longer since it's not widely used. (Previously, when it was widely used, it's value was in tying a user's activity in multiple apps together. It's no longer of much use in this purpose.)

 

[SHNXX]

Apple should ban these developers from the App store for being so incredibly irresponsible.

Wechat is probably used by more than 500 million daily active...

 

[deviant]

How does Tencent, a 160 billion dollar company, download its Xcode from a third party repository?

Look at it's name. Cheap mofos, i'm telling ya.

 

[Rigby]

So what is Apple doing

They are probably scanning the app store as we speak.

it should be writing a Malware detector and cleaner right now, with all the money they've got, they should be buying one and immediately put it in their store for free.

It is not possible for an app to scan or "clean" other apps on a non-jailbroken phone, since the iOS sandboxing isolates apps from each other. This also prevents XcodeGhost and other malware from doing much worse things than displaying a fake dialog box ...

 

[ghost187]

Honestly, these developers should be held accountable, at least to some degree. This is unacceptable on their end.

 

[RockSpider]

W

They are probably scanning the app store as we speak.
It is not possible for an app to scan or "clean" other apps on a non-jailbroken phone, since the iOS sandboxing isolates apps from each other. This also prevents XcodeGhost and other malware from doing much worse things than displaying a fake dialog box ...

Well they'd better be doing something, I use these things for more than just playing games, I thought at the least I was a bit safer on these things and I had Mercury installed, how do I know what it's done.
If Safari hadn't been so buggy I wouldn't have had to try other browsers, but it crashed relentlessly leading me to try other browsers and Mercury happened to be one of them, I can't ember how often I used it but I ended up using Chrome.

 

[Col4bin]

This isn't too surprising, some of the documents released by Snowden pointed out the CIA (in cahoots with the NSA?) had been attempting to compromise Xcode so that back doors would be inserted into anything compiled with it:

https://theintercept.com/2015/03/10/ispy-cia-campaign-steal-apples-secrets/

Once you compromise the compiler its game over (much like compromising the BIOS / firmware).

Whether or not the CIA were eventually successful is unknown. This is one of those things where Apple could open source (but not open license) their source code (and future changes) to critical things (like Xcode) so it could be checked/validated in the open (just to ensure the govt doesn't do some secret order they're forced to oblige with).

As encryption expert Bruce Schneier points out: "There's a persistent rumor going around that Apple is in the secret FISA Court, fighting a government order to make its platform more surveillance-friendly -- and they're losing."

Mentioned here: https://www.schneier.com/blog/archives/2015/09/fbi_and_apples_.html

So we're assuming that the CIA is behind the Xcode exploit, and not perhaps, China's own government? I mean, it it did originate over there. (Although, all governments collectively would most likely love to be able to compromise and infiltrate supposed "secure" systems.) All in the name of national security, of course!

 

[macfacts]

Ha ha. <- this isn't directed at Apple, this is me laughing at all the smug users that keep bashing on Android malware that is side loaded and how the ios app store is perfect.

 

[Rigby]

Well they'd better be doing something, I use these things for more than just playing games, I thought at the least I was a bit safer on these things

It still is a lot safer (provided you don't jailbreak).

and I had Mercury installed, how do I know what it's done.

Not much. In particular, it hasn't infected anything. The worst that can have happened based on the analysis mentioned in the article is that it presented you with a fake dialog box asking for a password. If you remember seeing an unexpected password prompt while using Mercury, I'd recommend to change that password (and activate 2-step authentication if available).

 

[ALUOp]

Apple is clearly the one to take the biggest blame here. Apple is the one that put the apps on their store for people to download and they're supposed to be the gatekeeper here. Users are blocked from restoring or downgrading to older firmware by means of digital signatures but at the same time Apple isn't using the same technology to block apps that aren't built with the genuine Xocde. What a joke! And some people here are trying to find excuses for Apple.

 

[jdillings]

Apple should ban these developers from the App store for being so incredibly irresponsible.

I agree. Apple should have zero tolerance for this. If the developers want to write infected apps, they can go over to Android.

 

[Zirel]

Now, the part that they (news outlets) don't want you to know:

1. Infected Apps can't surpass AppStore constraints (they can't, for instance, erase your device memory, or turn off your device, they are only able to do the inoffensive things that a normal app can)

2. Infected Apps can't go out of their sandbox, for example:

-> they can't access other apps passwords

-> they can't access other apps files

-> they can't access icloud account credentials

-> they can't send imessages, sms, take pictures without you seeing, etc.

-> they can't hack into your credit cards or apple pay.

> they can't access your browsing history, or photos

So, it's even if the Chinese hackers wanted to detonate a nuke, it wouldn't pass outside the box each App lives on.

But as always, media blows this out of proportion... it's Apple!

 

[Zirel]

Why can't Apple sign the Xcode so it will only work if it's downloaded from Apple servers ?

They sign!

When you download an unsigned or invalid signature Xcode, OS X tells you to throw it to the garbage.

Literally:

 

[koyeung]

How does Tencent, a 160 billion dollar company, download its Xcode from a third party repository?

No hint from their blog: http://blog.wechat.com/2015/09/19/fixed-security-flaw-in-wechat-v6-2-5-for-ios/

 

[RockSpider]

It still is a lot safer (provided you don't jailbreak).
Not much. In particular, it hasn't infected anything. The worst that can have happened based on the analysis mentioned in the article is that it presented you with a fake dialog box asking for a password. If you remember seeing an unexpected password prompt while using Mercury, I'd recommend to change that password (and activate 2-step authentication if available).

One of the reasons I don't jailbreak is to stay safe, I can't remember being asked for a password, hopefully I didn't.
Hopefully Apple is prepared for a massive lawsuit if the **** hits the fan.

 

[haruhiko]

Damn,

I used Mercury browser a lot. I liked it but I deleted it just now and will not be reinstalling it. If the developers care so little about security as to use Xcode downloaded from some where other than Apple I can never trust them again.

So basically some lazy Chinese developers opened up a door through Apple security system....
Every time something wrong happens, Chinese are involved....

The Great Chinese Firewall makes any connection in and out of China slow. They do this even to websites in Hong Kong. It's easy to blame China but Apple could have: 1. Make download of XCode faster by improving the content delivery network in China, hey it's hundreds of million of users there; 2) Implement mandatory checking of submitting binaries and reject apps that are not compiled through signed copies of XCode.

 

[haruhiko]

Now if hackers can do this to run malware could jailbreakers potentially make a tool using a similar attack to run the jailbreak and make it easier to jailbreak your phone?

Well, you could visit a website and "slide to jailbreak" your phone once upon a time... (@comex's hack)

 

[dampfnudel]

But..but....but malware is only for Android. iOS is 100% safe. This must be a lie!

Only a fool would believe that iOS or any other mobile/desktop OS is 100% safe from malware and I don't recall Apple saying that iOS was 100% safe from malware. If they did, shame on them. So it's probably better to avoid any apps developed in China, at least until Apple does something to prevent this from happening in the future.

 

[CarlJ]

First off, only an idiot would download development tools from some random server instead of from the official site. That being said, the developers caught up in this ... well, sorry, being naïve idiots again... they could have quite easily prevented this by taking a few minutes to check out the validity of their seemingly-XCode.dmg by asking on the official developers forums, or - if it's a firewall problem - on any respectable Apple-oriented developers site, for the SHA-512 message digest of the .dmg file for the current official developers tools (tens of thousands of people could provide this info), and then comparing that to the equivalent message digest for the .dmg that they obtained from some random source. It'd be pretty damn difficult for the bad guys to get their modified XCode package to come up with the same checksums.

 

[haruhiko]

Read and write data in the user's clipboard, which could be used to read the user's password if that password is copied from a password management tool.

can the app read the clipboard even when its not active?

so much for password management tools on iOS...

Yes, for example, there is a legitimate app that can display your clipboard content in its Notification Center Widget. Out of concern of it being able to read my passwords, I deleted it immediately. Come to think about it, many apps can access my clipboard too! I think there is an option in 1Password that enables it to erase passwords in Clipboard after X minutes. Gotta try it out.

 

[Rigby]

Users are blocked from restoring or downgrading to older firmware by means of digital signatures but at the same time Apple isn't using the same technology to block apps that aren't built with the genuine Xocde. What a joke!

What you are asking for is not technically possible. Firmware signing is secure because Apple controls the cryptographic keys. But Xcode runs under control of its user. If the genuine Xcode contained a special signing key, it would only be a matter of time until someone found it in the code and extracted it. The best Apple can do is to try and protect Xcode against modification by hashing. But that can be hacked as well.

The bottom line is that you cannot prevent a developer from using other tools than the original Xcode to produce code for apps. Apple can and does force developers to sign apps they submit to the store, so they can be held responsible in cases like this one.

 

[Weaselboy]

This has hit Reuters here along with a quote from an Apple rep.

"We’ve removed the apps from the App Store that we know have been created with this counterfeit software," Apple spokeswoman Christine Monaghan said in an email. "We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps."

This also from the article.

Apple declined to say how many apps it had uncovered.

IMO they need to get out in front of this ASAP and make a full disclosure of all apps infected. Hopefully Apple is working on that now.

 

[JimmyHook]

Everyone needs to calm down. It's not that big of a deal. Mercury Web Browser is still live in the App Store indicating it isn't affected