September 21, 2015

XcodeGhost iOS Malware: Affected Apps and What You Should Do

Person holding smartphone with messaging app open on display.

Researchers recently found a piece of iOS malware called XcodeGhost in a number of apps in the Apple App Store. The creator(s) of XcodeGhost were able to sneak the malicious code into these apps without the app developers’ knowledge. These unsuspecting apps include popular consumer apps like WeChat and CamCard, showcasing the potential for the XcodeGhost malware to impact potentially hundreds of millions of victims.

What is XcodeGhost?

XcodeGhost is a piece of malware that can steal data and potentially trick people into providing personally identifiable information. The creator(s) behind XcodeGhost were able to repackage a tool used by legitimate iOS and OSX developers to create apps. When those developers created their apps using this tampered-with tool, they unknowingly inserted malware into their apps, though the developers did need to knowingly disable some security checks in order to use this tool.

The malware made its way into a growing list of apps that were published live to the Apple App Store. Our understanding is that Apple is working to remove these apps from the App Store.

How might it affect me?

The malware removes information off the device like the device’s name, country, and unique identifiers. According to Palo Alto Networks, it may also have the ability to push dialogue boxes to your iPhone or iPad’s screen. Theoretically, a bad guy could use one of these dialogues to steal your username and password or other personal information.

The malware may also be able to open websites in your mobile browser, which could be used for a variety of malicious purposes again including phishing and installing other potentially malicious software.

Does Lookout protect me?

For our customers still running iOS 8 or under, we will detect apps running this malicious code and alert you to their presence.

Unfortunately due to limitations Apple has placed on apps on the iOS platform Lookout Mobile Security for consumers is not able to detect whether you have an infected app installed in iOS 9. Apple has made recent changes to iOS that make it more difficult for one app to understand which other apps are present on the device.  We are always looking for new ways to protect iOS devices from malware and hope to be able to improve our detection capabilities in the future.

In the meantime, we recommend users:

  • For anyone that has one of the apps listed below — update them if an update is available, or delete them immediately and wait until the developer releases a new version with the malicious code removed.
  • If one of these apps is running on your device, we also recommend that you change your Apple ID password and be wary of any suspicious emails or push notifications to your device asking for personal information.
  • In general, be wary of apps pushing dialogue boxes to your screen asking for personal information without first being aware of who is asking for it
  • If you have used your Apple ID password on any other accounts, you should change the password for those accounts, too.

What are the apps?

We are actively adding apps to the list below that Lookout has independently confirmed to be affected by XcodeGhost. This list is not exhaustive and we will be maintaining it below, including information on whether it has been patched and what you should do.

To check if a developer has pushed an update to the app, go to the Apple App Store on your device, navigate to that app, and look for an “Update” button. If you are running the latest version of an app this button will say “Open” instead of  “Update.”

铁路12306

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.11

同花顺

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 9.62.01

同花顺HD

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 5.84.01

疯狂的宠物-史上第一宠物,宠物逃跑冒险捕捉大作战游戏

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.3.9

Crazy Fishing Saga

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.1.5

Crazy Fish 2- 100 levels of funny fishing game

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.1.8

pop owls-crazy pop super star game

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.0.8

Candy Crazy Fish - running fishes VS magic weapons

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.0.7

Sea Diamond - Crazy diamond stars pop crush game

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.0.6

Fishing Ares-Enjoy fish joy and pass 100 levels

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.0.3

Pet Forest-crazy pop style puzzle game

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.0.7

Multi-Attach Mail - Multiple Attachments Solutions

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.4

CamCard Business

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.8.2

CamScanner Free| PDF Document Scanner and OCR

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.8.2

CamScanner +| PDF Document Scanner and OCR

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.8.2

Cam Scanner Pro

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.8.2

WeChat

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 6.2.6

WinZip - The leading zip unzip and cloud file management tool

  • Action: Update to the latest version
  • Current Status: Patched
  • Last version checked: 4.3

网易云音乐-好口碑,电台FM歌曲下载必备

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.9.0

OPlayerHD Lite

  • Action: Update to latest version
  • Current status: Patched
  • Last version checked: 2.1.03

网易公开课 - 教育视频平台、名校名师名课、TED演讲、优质纪录片

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 4.2.9

中国联通手机营业厅(官方版)

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.3

愤怒的小鸟2-李易峰至爱手游

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.2.1

BitBox 音乐播放器

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.0.1

GNum - Connecting The World To You

  • Action: Update to the latest version
  • Current Status: Patched
  • Last version checked: 5.0.100000621

10000+ Wallpapers for iOS 8, iOS 7, iPhone, iPod and iPad

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.7

喜马拉雅FM(Podcasts)儿童故事评书股票财经郎眼radio

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 4.3.20

开眼 - 精选视频推介,每天大开眼界

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.8.1

股市热点

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.41.01

懒人周末 - 每个周末都是惊喜

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.3.1

LifeSmart

  • Action: Updated to latest version
  • Current status: Patched
  • Last version checked: 1.0.46

Excavator Stunt 2015

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.1.2

Little Miss Party Girls - Music Festival Salon

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.2

Celebrity Fashion Stylist Salon

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.1

电话号码归属地助手

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.6.6

夫妻床头话-两性资讯交友社区情趣体验私密话题

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.1

Maya Mysterious Realm Free Slots Vegas Casino

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.1

Beauty Salon Monster Girls Makeover

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.5

Foscam

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.5.0

自由之战-真·5V5(第一MOBA手游)

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.1.1

Device Tracker for iPhone iPad

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.0

Free Calls Text by MoPlus Free Local and International Phone Calling and Messaging App

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.0.1

MyChevy - By Shanghai Wangfan Information Trans Co., Ltd.

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.2

爱推

  • Action: Uninstall immediately
  • Current Status: Still malicious
  • Last version checked: 1.1.5

Magic Likes Liker for Instagram Get More Free Instagram Likes Followers

  • Action: Uninstall immediately
  • Current Status: Still malicious
  • Last version checked: 1.0.4

Crazy Bubble OL

  • Action: Uninstall immediately
  • Current Status: Still malicious
  • Last version checked: 1.2.00

Parking 3D

  • Action: Uninstall immediately
  • Current Status: Still malicious
  • Last version checked: 5.3.1

Other companies have suggested that there are hundreds to thousands of apps that may be affected. We are working to independently confirm these apps are malicious:

  • 网易云音乐
  • 微信
  • 讯飞输入法
  • 滴滴出行
  • 滴滴打车
  • 铁路12306
  • 下厨房
  • 51卡保险箱
  • 中信银行动卡空间
  • 中国联通手机营业厅
  • 高德地图
  • 简书
  • 开眼
  • Lifesmart
  • 网易公开课
  • 马拉马拉
  • 药给力
  • 喜马拉雅
  • 口袋记账
  • 同花顺
  • 快速问医生
  • 懒人周末
  • 微博相机
  • 豆瓣阅读
  • CamCard
  • SegmentFault
  • 炒股公开课
  • 股市热点
  • 新三板
  • 滴滴司机
  • OPlayer
  • 电话归属地助手
  • 愤怒的小鸟2
  • 夫妻床头话
  • 穷游
  • 我叫MT
  • 我叫MT 2
  • 自由之战
  • Mercury
  • WinZip
  • Musical.ly
  • PDFReader
  • guaji_gangtai en
  • Perfect365
  • 网易云音乐
  • PDFReader Free
  • WhiteTile
  • IHexin
  • WinZip Standard
  • MoreLikers2
  • MobileTicket
  • iVMS-4500
  • OPlayer Lite
  • QYER
  • golfsense
  • 同花顺
  • installer
  • 下厨房
  • golfsensehd
  • Wallpapers10000
  • CSMBP-AppStore
  • 礼包助手
  • MSL108
  • ChinaUnicom3.x
  • TinyDeal.com
  • snapgrab copy
  • iOBD2
  • PocketScanner
  • CuteCUT
  • AmHexinForPad
  • SuperJewelsQuest2
  • air2
  • InstaFollower
  • baba
  • WeLoop
  • DataMonitor
  • 爱推
  • MSL070
  • nice dev
  • immtdchs
  • OPlayer
  • FlappyCircle
  • 高德地图
  • BiaoQingBao
  • SaveSnap
  • Guitar Master
  • jin
  • WinZip Sector
  • Quick Save

Authors

David Richardson

Vice President of Product, Endpoint and Security

David Richardson has been building software to help individuals and enterprises secure mobile devices for over a decade. David currently leads the endpoint product management team and the security team at Lookout. He has 45 patents issued related to mobile security. He is a frequent speaker at security conferences on the topic of iOS and Android security.

Threat Type
Malware
Entry Type
Threat Summary
Platform(s) Affected
iOS
Platform(s) Affected
Malware
Threat Summary
iOS

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell