What You Need to Know About iOS Malware XcodeGhost

xcode-6Earlier this week, Chinese developers disclosed new iOS malware called XcodeGhost on microblogging service Sina Weibo. U.S. cybersecurity firm Palo Alto Networks has since published details about the malware.

MacRumors has created a FAQ so you can learn more about XcodeGhost and how to keep your iOS devices protected.

What is XcodeGhost?
XcodeGhost is a new iOS malware arising from a malicious version of Xcode, Apple's official tool for developing iOS and OS X apps.

How is XcodeGhost distributed?
A malicious version of Xcode was uploaded to Chinese cloud file sharing service Baidu and downloaded by some iOS developers in China.

Chinese developers then unknowingly compiled iOS apps using the modified Xcode IDE and distributed those infected apps through the App Store.

Those apps then managed to pass through Apple's code review process, enabling iOS users to install or update the infected apps on their devices.

Which devices are affected?
iPhone, iPad and iPod touch models running an iOS version compatible with any of the infected apps. The malware affects both stock and jailbroken devices.

Which apps are affected?
Palo Alto Networks has shared a full list of over 50 infected iOS apps, including WeChat, NetEase Cloud Music, WinZip, Didi Chuxing, Railway 12306, China Unicom Mobile Office and Tonghuashun.

How many users are affected?
XcodeGhost potentially affects more than 500 million iOS users, primarily because messaging app WeChat is very popular in China and the Asia-Pacific region.

Which unofficial versions of Xcode are affected?
All unofficial versions between Xcode 6.1 and Xcode 6.4.

How does XcodeGhost put my iOS devices at risk?
iOS apps infected with XcodeGhost malware can and do collect information about devices and then encrypt and upload that data to command and control (C2) servers run by attackers through the HTTP protocol. The system and app information that can be collected includes:

  • Current time

  • Current infected app’s name

  • The app’s bundle identifier

  • Current device’s name and type

  • Current system’s language and country

  • Current device’s UUID

  • Network type

    Palo Alto Networks also discovered that infected iOS apps can receive commands from the attacker through the C2 server to perform the following actions:

  • Prompt a fake alert dialog to phish user credentials;

  • Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps;

  • Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.

    Can XcodeGhost affect users outside of China?
    Yes. Some of the iOS apps infected with XcodeGhost malware are available on the App Store in countries outside of China. CamCard, for example, is a popular business card reader and scanner app available in the United States and several other countries, while WeChat is a popular messaging app in the Asia-Pacific region.

    Why would some Chinese developers download Xcode from Baidu?
    Xcode is a large file that can take a long time to download from Apple's servers in China, leading some developers to download Xcode from unofficial sources.

    How are Apple and Chinese developers dealing with XcodeGhost?
    Palo Alto Networks claims that it is cooperating with Apple on the issue, while multiple developers have updated their apps to remove the malware.

    Apple has since issued the following statement to Reuters:

    "We’ve removed the apps from the App Store that we know have been created with this counterfeit software. We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps."

    How do I protect myself against XcodeGhost?
    iOS users should immediately uninstall any infected iOS app listed here on their devices, or update to a newer version that has removed the malware. Resetting your iCloud password, and any other passwords inputted on your iOS device, is also strongly recommended as a precautionary measure.

    Developers should install official versions of Xcode 7 or Xcode 7.1 beta from Apple's website for free and avoid downloading the software from unofficial sources.

  • Top Rated Comments

    jmantn Avatar
    74 months ago
    darn it, I thought only android gets malware.

    wechat is used in many countires :(
    Seriously what developer who knows anything about security is going to download an IDE from a non official source?

    That's like downloading an OS from The Pirate Bay and being shocked the file was injected with malicious code.
    Score: 63 Votes (Like | Disagree)
    deviant Avatar
    74 months ago
    i'm sorry but how can a developer be such an idiot (please don't ban me, there's no other word to describe patient's condition) to download Xcode from a chinese cloud file sharing service????
    Score: 56 Votes (Like | Disagree)
    Weaselboy Avatar
    74 months ago
    How do I protect myself against XcodeGhost?
    iOS users should immediately uninstall any infected iOS app listed here ('http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/') on their devices, or update to a newer version that has removed the malware. Resetting your iCloud password, and any other passwords inputted on your iOS device, is also strongly recommended as a precautionary measure.
    My thought is I am all done with any company that would use an Xcode version they got from a file sharing site rather than Apple directly. I would never trust them again.
    Score: 48 Votes (Like | Disagree)
    arn Avatar
    74 months ago
    Can't you just list all 39 apps? Looks like the servers from Palo Alto Networks can't handle it.
    Infected iOS apps
    网易云音乐 2.8.3
    微信 6.2.5
    讯飞输入法 5.1.1463
    滴滴出行 4.0.0.6-4.0.0.0
    滴滴打车 3.9.7.1 – 3.9.7
    铁路12306 4.5
    下厨房 4.3.2
    51卡保险箱 5.0.1
    中信银行动卡空间 3.3.12
    中国联通手机营业厅 3.2
    高德地图 7.3.8
    简书 2.9.1
    开眼 1.8.0
    Lifesmart 1.0.44
    网易公开课 4.2.8
    马拉马拉 1.1.0
    药给力 1.12.1
    喜马拉雅 4.3.8
    口袋记账 1.6.0
    同花顺 9.60.01
    快速问医生 7.73
    懒人周末
    微博相机
    豆瓣阅读
    CamScanner
    CamCard
    SegmentFault 2.8
    炒股公开课
    股市热点
    新三板
    滴滴司机
    OPlayer 2.1.05
    电话归属地助手 3.6.5
    愤怒的小鸟2 2.1.1
    夫妻床头话 1.2
    穷游 6.6.6
    我叫MT 5.0.1
    我叫MT 2 1.10.5
    自由之战 1.1.0

    Fox-IT (fox-it.com ('http://fox-it.com/')), a Netherlands based security company, checked all C2 domain names from our reports in their network sensors and has found thousands of malicious traffic outside China. According to their data, these iOS apps were also infected:

    Mercury
    WinZip
    Musical.ly
    PDFReader
    guaji_gangtai en
    Perfect365
    网易云音乐
    PDFReader Free
    WhiteTile
    IHexin
    WinZip Standard
    MoreLikers2
    CamScanner Lite
    MobileTicket
    iVMS-4500
    OPlayer Lite
    QYER
    golfsense
    同花顺
    ting
    installer
    下厨房
    golfsensehd
    Wallpapers10000
    CSMBP-AppStore
    礼包助手
    MSL108
    ChinaUnicom3.x
    TinyDeal.com
    snapgrab copy
    iOBD2
    PocketScanner
    CuteCUT
    AmHexinForPad
    SuperJewelsQuest2
    air2
    InstaFollower
    CamScanner Pro
    baba
    WeLoop
    DataMonitor
    爱推
    MSL070
    nice dev
    immtdchs
    OPlayer
    FlappyCircle
    高德地图
    BiaoQingBao
    SaveSnap
    WeChat
    Guitar Master
    jin
    WinZip Sector
    Quick Save
    CamCard
    Score: 28 Votes (Like | Disagree)
    SSD-GUY Avatar
    74 months ago
    So... It begins.

    iOS has been breached through the one thing that kept us safe. The App Store.
    Score: 27 Votes (Like | Disagree)
    mw360 Avatar
    74 months ago
    I don't think that's a correct analysis of the situation.
    What has really happened here? Developers have used the wrong tool (we'll discuss that later) and that tool has embedded some unwanted additional code in their apps. BUT look what still worked
    - each broken app STILL has to be submitted to the app store, with identification and an audit trail

    - even when the app is on an iOS device, there are severe limits to what it can do. It still can't break out of the OS protections, randomly control the device, etc. The type of info being sent back to base is, let's face it, not THAT serious --- not ideal, but not control of the machine.

    - The items that ARE problematic (and which Apple should work on fixing) are items that were problematic before we knew about this, and that have been used in other contexts --- the ability to phish for passwords by throwing up fake dialog boxes, and the way the current sandboxing FORCES Password apps like 1Password to transfer data over the Clipboard.

    What this REALLY provides is a way to throw out a bunch of these phishing scams in a way that can't be traced back to the real scammer; only to the developer using the wrong tool.

    Which gets us to that issue. I don't know enough about XCode to know what was and was not breached on that front. Obviously the entire XCode package should be signed, and obviously if you're stupid enough to install an XCode package that complains about being unsigned, you're setting yourself up for trouble. But blaming the victim, especially when the security landscape changes every year is not helpful --- how could Apple do better?
    You can't really avoid people being able to write their own compilers and dev tools, and you can't stop those dev tools from doing god knows what to the code they create --- this has been known since Pike's infamous C compiler of the early seventies.
    What you SHOULD be able to do is not allow code that has been created by such dev tools into the app store. THAT seems to be the flaw that needs to be fixed --- that any tool that's generating binaries that will land up in the store needs to be provably signed. But I don't know how feasible that is. Obviously the last stage (the actual store submitter app) is provided by Apple and signed, and using the developers signature. But what about the linker beforehand? And the compiler before that? And you then need the binaries passed between the two to be encrypted? It's just totally inimical to the current expected model of how we code.

    So what about at a higher level? Do something that's a ugly hack, but basically FORCE that any installer that calls itself "XCode" has to be signed no matter what? That's one package that you can't install regardless of your GateKeeper settings except from Apple. But then you get a wack-a-mole of packages called "XCode 7" and "XCode!" and "XCode Pro".
    Good analysis, but there is something Apple could have done, and I have been saying as much for over a year. Here's the more strongly worded one:

    They should ban their in-house teams from throwing up a password request box. Absolute ban. It has got out of hand recently with stock apps asking for the password without any justification or explanation and pretty much at random. I've said it over and over, Apple have been training their users for exactly this scenario - enter password whenever anyone asks. If an app needs the iCloud password it should instruct the user to enter it in the appropriate settings page. Train users: only the settings app should be trusted with passwords.
    Score: 26 Votes (Like | Disagree)

    Top Stories

    tile sticker e1570533758981

    Tile CEO: 'We Welcome Competition From Apple, But We Think It Needs to Be Fair'

    Tuesday May 4, 2021 9:51 am PDT by
    Just after Apple announced its AirTags, Tile CEO CJ Prober relayed his concerns about competing with Apple in the tracking space, and said that Tile would ask Congress to investigate Apple's business practices specific to Find My and item trackers. Prober this week did an interview with Bloomberg, where he further expanded on Tile's complaints about Apple and why he feels that Tile is...
    signal instagram ads3

    Signal Shares the Instagram Ads Facebook Doesn't Want You to See

    Wednesday May 5, 2021 1:29 am PDT by
    Encrypted messaging app Signal has had a series of Instagram ads blocked from the social media platform, after it attempted to show users how much data the Facebook-owned company collects about them and how it's used to push targeted ads. In a blog post, Signal described how it generated the ads to show users why they were seeing them, simply by declaring upfront the information that the...
    tracking disabled ios 14 5

    Analytics Suggest 96% of Users Leave App Tracking Disabled in iOS 14.5

    Friday May 7, 2021 1:51 am PDT by
    An early look at an ongoing analysis of Apple's App Tracking Transparency suggests that the vast majority of iPhone users are leaving app tracking disabled since the feature went live on April 26 with the release of iOS 14.5. According to the latest data from analytics firm Flurry, just 4% of iPhone users in the U.S. have actively chosen to opt into app tracking after updating their device...
    fortnite apple logo 2

    Epic CEO Tim Sweeney Admits App Store's 30% Cut Is Similar to Consoles, Would Have Accepted Special Deal With Apple

    Tuesday May 4, 2021 1:54 pm PDT by
    Apple's legal battle with Epic Games is continuing on, and during the second day of the trial, Epic Games' CEO Tim Sweeney continued his testimony against Apple. Sweeney was grilled by Apple's lawyers, and made several points seemingly favorable to Apple. In addition to mentioning how he prefers Apple's iPhone and values Apple's privacy policies that he's aiming to dismantle, Sweeney...
    snapchat dark mode

    Snapchat Rolls Out Dark Mode on iOS

    Wednesday May 5, 2021 1:17 am PDT by
    Nearly two years following the release of iOS and iPadOS 13, which included native, built-in, and systemwide dark mode, Snapchat, one of the world's most prominent social media networks, has finally rolled out a dark mode theme for iOS users. Snapchat began testing a dark mode theme of its app design late last year with a small group of iOS users. Now, Snapchat says that as of this week, it...
    netflix sign up

    Apple Discussed 'Punitive Measures' Against Netflix for Dropping In-App Purchases

    Wednesday May 5, 2021 11:03 am PDT by
    As the Epic Games v. Apple trial progresses into its third day, Apple's internal documents and communications with various companies are continuing to surface, giving us some insight into the dealings that Apple has had around the App Store. Back in December 2018, Netflix stopped offering in-app subscription options for new or resubscribing members and instead began requiring them to sign up ...
    iphone 12 preorder purple

    Apple Begins Transition to Randomized Serial Numbers With Purple iPhone 12

    Wednesday May 5, 2021 9:17 am PDT by
    MacRumors previously reported about Apple's plan to switch to randomized serial numbers for future products starting in early 2021, and this transition has now started with the new purple iPhone 12 model in multiple countries. With assistance from Aaron Zollo, host of the YouTube channel ZolloTech, we can confirm that the purple iPhone 12 released last month has a new 10-character serial...
    airtag 1

    AirTag Anti-Stalking Measures 'Just Aren't Sufficient' Says Washington Post Report

    Wednesday May 5, 2021 6:03 pm PDT by
    The safeguards that Apple built into AirTags to prevent them from being used to track someone "just aren't sufficient," The Washington Post's Geoffrey Fowler said today in a report investigating how AirTags can be used for covert stalking. Fowler planted an AirTag on himself and teamed up with a colleague to be pretend stalked, and he came to the conclusion that the AirTags are a "new means...
    iphone 13 pro max dummy notch

    iPhone 13 Pro Max Dummy Model Depicts Smaller Notch

    Tuesday May 4, 2021 1:08 pm PDT by
    Apple's iPhone 13 models are expected to feature a slimmed down notch, marking the first major change to the TrueDepth camera system since it was introduced in the 2017 iPhone X. We're still months away from the launch of the iPhone 13, but Lewis Hilsenteger of Unbox Therapy managed to get an iPhone 13 Pro Max dummy model that represents what we can expect from the new 2021 device. Dummy...
    iPad Pro July Shipping

    12.9-Inch iPad Pro Now Delivers as Late as Mid-July

    Wednesday May 5, 2021 7:10 am PDT by
    While the new 12.9-inch iPad Pro is set to launch in the second half of May, orders placed today are estimated for delivery as late as mid-July on Apple's online store in the United States — some two months later. The new 11-inch iPad Pro is faring better so far, with some configurations available for delivery in the last week of May. The new 12.9-inch iPad Pro features a Liquid Retina XDR ...