September 21, 2015

Updated: XcodeGhost iOS malware: The list of affected apps and what you should do

IMG_4512

Researchers recently found a piece of iOS malware called XcodeGhost in a number of apps in the Apple App Store. The creator(s) of XcodeGhost were able to sneak the malicious code into these apps without the app developers’ knowledge. These unsuspecting apps include popular consumer apps like WeChat and CamCard, showcasing the potential for the XcodeGhost malware to impact potentially hundreds of millions of victims.

What is XcodeGhost?

XcodeGhost is a piece of malware that can steal data and potentially trick people into providing personally identifiable information. The creator(s) behind XcodeGhost were able to repackage a tool used by legitimate iOS and OSX developers to create apps. When those developers created their apps using this tampered-with tool, they unknowingly inserted malware into their apps, though the developers did need to knowingly disable some security checks in order to use this tool.

The malware made its way into a growing list of apps that were published live to the Apple App Store. Our understanding is that Apple is working to remove these apps from the App Store.

How might it affect me?

The malware removes information off the device like the device’s name, country, and unique identifiers. According to Palo Alto Networks, it may also have the ability to push dialogue boxes to your iPhone or iPad’s screen. Theoretically, a bad guy could use one of these dialogues to steal your username and password or other personal information.

The malware may also be able to open websites in your mobile browser, which could be used for a variety of malicious purposes again including phishing and installing other potentially malicious software.

Does Lookout protect me?

For our customers still running iOS 8 or under, we will detect apps running this malicious code and alert you to their presence.

Unfortunately due to limitations Apple has placed on apps on the iOS platform Lookout Mobile Security for consumers is not able to detect whether you have an infected app installed in iOS 9. Apple has made recent changes to iOS that make it more difficult for one app to understand which other apps are present on the device.  We are always looking for new ways to protect iOS devices from malware and hope to be able to improve our detection capabilities in the future.

In the meantime, we recommend users:

  • For anyone that has one of the apps listed below — update them if an update is available, or delete them immediately and wait until the developer releases a new version with the malicious code removed.
  • If one of these apps is running on your device, we also recommend that you change your Apple ID password and be wary of any suspicious emails or push notifications to your device asking for personal information.
  • In general, be wary of apps pushing dialogue boxes to your screen asking for personal information without first being aware of who is asking for it
  • If you have used your Apple ID password on any other accounts, you should change the password for those accounts, too.
What are the apps?

We are actively adding apps to the list below that Lookout has independently confirmed to be affected by XcodeGhost. This list is not exhaustive and we will be maintaining it below, including information on whether it has been patched and what you should do.

To check if a developer has pushed an update to the app, go to the Apple App Store on your device, navigate to that app, and look for an “Update” button. If you are running the latest version of an app this button will say “Open” instead of  “Update.”

铁路12306铁路12306

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.11

 

同花顺同花顺

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 9.62.01

 

同花顺HD同花顺HD

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 5.84.01

 

疯狂的宠物-史上第一宠物,宠物逃跑冒险捕捉大作战游戏疯狂的宠物-史上第一宠物,宠物逃跑冒险捕捉大作战游戏

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.3.9

 

Crazy Fishing Saga-use different kinds of weapon to catch many fishesCrazy Fishing Saga

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.1.5

 

Crazy Fish 2- 100 levels of funny fishing gameCrazy Fish 2- 100 levels of funny fishing game

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.1.8

 

pop owls-crazy pop super star gamepop owls-crazy pop super star game

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.0.8

 

Candy Crazy Fish - running fishes VS magic weaponsCandy Crazy Fish – running fishes VS magic weapons

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.0.7

 

Sea DiamondSea Diamond – Crazy diamond stars pop crush game

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.0.6

 

Fishing AresFishing Ares-Enjoy fish joy and pass 100 levels

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.0.3

 

Pet ForestPet Forest-crazy pop style puzzle game

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.0.7

 

Multi-Attach MailMulti-Attach Mail – Multiple Attachments Solutions

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.4

 

CamCard BizCamCard Business

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.8.2

 

CamScanner FreeCamScanner Free| PDF Document Scanner and OCR

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.8.2

 

CamScanner ProCamScanner +| PDF Document Scanner and OCR

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.8.2

 

CamScanner Pro (1)Cam Scanner Pro

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.8.2

 

WeChatWeChat

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 6.2.6

 

WinZipWinZip – The leading zip unzip and cloud file management tool

  • Action: Update to the latest version
  • Current Status: Patched
  • Last version checked: 4.3

 

网易云音乐网易云音乐-好口碑,电台FM歌曲下载必备

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.9.0

 

OPlayerHDLiteOPlayerHD Lite

  • Action: Update to latest version
  • Current status: Patched
  • Last version checked: 2.1.03

 

网易公开课网易公开课 – 教育视频平台、名校名师名课、TED演讲、优质纪录片

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 4.2.9

 

手机营业厅中国联通手机营业厅(官方版)

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.3

 

愤怒的小鸟2愤怒的小鸟2-李易峰至爱手游

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.2.1

 

BitBox 音乐播放器BitBox 音乐播放器

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.0.1

 

GNum - Connecting The World To YouGNum – Connecting The World To You

  • Action: Update to the latest version
  • Current Status: Patched
  • Last version checked: 5.0.100000621

 

Wallpapers10000+ Wallpapers for iOS 8, iOS 7, iPhone, iPod and iPad

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.7

 

喜马拉雅FM喜马拉雅FM(Podcasts)儿童故事评书股票财经郎眼radio

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 4.3.20

 

Eyepetizer开眼 – 精选视频推介,每天大开眼界

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.8.1

 

股市热点股市热点

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.41.01

 

懒人周末 - 每个周末都是惊喜懒人周末 – 每个周末都是惊喜

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.3.1

 

LifeSmartLifeSmart

  • Action: Updated to latest version
  • Current status: Patched
  • Last version checked: 1.0.46

 

Excavator Stunt 2015Excavator Stunt 2015

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.1.2

 

Little Miss Party Girls - Music Festival SalonLittle Miss Party Girls – Music Festival Salon

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.2

 

Celebrity Fashion Stylist Salon™Celebrity Fashion Stylist Salon

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.1

 

电话归属地助手电话号码归属地助手

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.6.6

 

夫妻床头话-两性资讯交友社区情趣体验私密话题夫妻床头话-两性资讯交友社区情趣体验私密话题

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.1

 

Maya - Mysterious Realm Free Slots Vegas CasinoMaya Mysterious Realm Free Slots Vegas Casino

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.1

 

Beauty Salon MonsterBeauty Salon Monster Girls Makeover

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.5

 

FoscamFoscam

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.5.0

 

自由之战自由之战-真·5V5(第一MOBA手游)

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.1.1

 

Device Tracker for iPhone & iPadDevice Tracker for iPhone iPad

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.0

 

Free Calls & Text by Mo+, Free Local and International Phone Calling and Messaging AppFree Calls Text by MoPlus Free Local and International Phone Calling and Messaging App

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.0.1

 

MyChevyMyChevy – By Shanghai Wangfan Information Trans Co., Ltd.

  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.2

 

爱推爱推

  • Action: Uninstall immediately
  • Current Status: Still malicious
  • Last version checked: 1.1.5

 

Magic Likes & Liker for Instagram - Get More Free Instagram Likes & FollowersMagic Likes Liker for Instagram Get More Free Instagram Likes Followers

  • Action: Uninstall immediately
  • Current Status: Still malicious
  • Last version checked: 1.0.4

 

Crazy Bubble OLCrazy Bubble OL

  • Action: Uninstall immediately
  • Current Status: Still malicious
  • Last version checked: 1.2.00

 

Parking 3DParking 3D

  • Action: Uninstall immediately
  • Current Status: Still malicious
  • Last version checked: 5.3.1

 

Other companies have suggested that there are hundreds to thousands of apps that may be affected. We are working to independently confirm these apps are malicious:

  • 网易云音乐
  • 微信
  • 讯飞输入法
  • 滴滴出行
  • 滴滴打车
  • 铁路12306
  • 下厨房
  • 51卡保险箱
  • 中信银行动卡空间
  • 中国联通手机营业厅
  • 高德地图
  • 简书
  • 开眼
  • Lifesmart
  • 网易公开课
  • 马拉马拉
  • 药给力
  • 喜马拉雅
  • 口袋记账
  • 同花顺
  • 快速问医生
  • 懒人周末
  • 微博相机
  • 豆瓣阅读
  • CamCard
  • SegmentFault
  • 炒股公开课
  • 股市热点
  • 新三板
  • 滴滴司机
  • OPlayer
  • 电话归属地助手
  • 愤怒的小鸟2
  • 夫妻床头话
  • 穷游
  • 我叫MT
  • 我叫MT 2
  • 自由之战
  • Mercury
  • WinZip
  • Musical.ly
  • PDFReader
  • guaji_gangtai en
  • Perfect365
  • 网易云音乐
  • PDFReader Free
  • WhiteTile
  • IHexin
  • WinZip Standard
  • MoreLikers2
  • MobileTicket
  • iVMS-4500
  • OPlayer Lite
  • QYER
  • golfsense
  • 同花顺
  • installer
  • 下厨房
  • golfsensehd
  • Wallpapers10000
  • CSMBP-AppStore
  • 礼包助手
  • MSL108
  • ChinaUnicom3.x
  • TinyDeal.com
  • snapgrab copy
  • iOBD2
  • PocketScanner
  • CuteCUT
  • AmHexinForPad
  • SuperJewelsQuest2
  • air2
  • InstaFollower
  • baba
  • WeLoop
  • DataMonitor
  • 爱推
  • MSL070
  • nice dev
  • immtdchs
  • OPlayer
  • FlappyCircle
  • 高德地图
  • BiaoQingBao
  • SaveSnap
  • Guitar Master
  • jin
  • WinZip Sector
  • Quick Save

 

119 comments
  1. Bruce Wayne says:

    Thank you kindly for the list, and for maintaining it.
    Very helpful!

  2. Ronay says:

    My iPad has a separate phone # from my iPhone 6plus, however, recently my iPad is using the same phone number as my phone. The SIM card is different but still I’m wondering what to do next. I’ve keep calling Verizon about issues with my apple devices and they can only help me to a limit if my phone had a software problem or cloned I can’t get a diagnostics to apple or a real location in maps. Must be a ghost!

    • Raymond says:

      A couple at my school both got new iphones with the latest iOS on them and there is a setting in the iOS that let’s you combine devices that are logged in with the same Apple ID account, this is a new feature of iOS and I figured out how to help them turn it off, but can’t remember what it is now. look through the settings.

  3. Mary C says:

    Thanks for the heads up and the list. Great work folks!

  4. Alerta de seguridad: Malware iOS XcodeGhost detectado. Qué debo hacer?

  5. Barry Allen says:

    What does I have to do if Lookout prevents me that some of my apps are infected by XCodeGhost, but I don’t have any app of the list?

    • Meghan Kelly says:

      Hey Barry – not sure what’s going on here. Reach out to support [at] lookout [dot] com and include the email address associated with your Lookout account. Thanks!

  6. Delfino Galan says:

    Me gustaria saber como desinstalar una aplicación de mi iPad,lo intento y no lo consigo.Gracias.

  7. Millie says:

    It genuinely scares me that i’ve had 2 of these before.

  8. Nath King says:

    Hey, Thanks for the update and protecting my phone from several bugs and problems, this app is very helpful

  9. Mubashir says:

    Thanks to appl company for taking action immediately

  10. Heather Petit says:

    Thank you for maintaining this list, and for letting us all know. There’s no one else who could have warned me of anything at all. Should that make it seem odd that you are the only one who DID warn me? No. It simply means that you’re on the ball.

  11. Jacqueline Scruggs says:

    This is a very good app. Keeps me up to date and alert. Glad my friend told me about this app.

  12. frank says:

    i got a email from a record company for one of my songs they asked for my info name date of birth etc then my passport number this isnt the malware right? it came straight from the record company

  13. Brenda says:

    If I have this on my phone, do I need to uninstall it? Or, has it already been fixed?

    • Meghan Kelly says:

      If you have any of the apps listed on your device that are noted to still be malicious, you should uninstall. If it has already be patched, you should update to the latest version of that application. Hope that helps!

  14. A Torres says:

    Thank God! I was pretty surprised about this iOS malware.

  15. Karl says:

    What if I had the app on both my devices when the xghost was on the app but have synced removed the apps? I had the winzip app on both my iPad and iPhone. My iPhone’s auto brightness setting messes up sometimes and makes my phone do stuff. Since your app can’t detect things now how do I know if I have the malware on my iPhone?

    • Meghan Kelly says:

      Hi Karl, if you’ve removed the app from your devices, you should be fine. Alternatively, if the developer has updated the app to remove the malware, you could reinstall or update the app to get the clean version.

  16. sunshine girl says:

    I keep getting an email notice about this but I’m not sure what to do. I don’t have any of the listed apps on any of my devices. I have triple checked. Is there something else I need to check?

    • Meghan Kelly says:

      Hi there, if you encounter Brain Test we will alert you on your device with specific instructions regarding the offending app. Are you receiving an email regarding Brain Test? Please feel free to reach out to our support team directly and include the email address associated with your Lookout account! support [at] lookout [dot] com

  17. Thomas says:

    I have Mercury on my iPad, older version, and have had oPlayer on my iPad too, since removed.
    Can you tell me if the older version of Mercury Browser v7.4.1 also has this malware? I’m still using it, from several years a ago.

    Also, are you sure if the Malware App is removed, that no remnants of the infection were not left-behind?

    • Meghan Kelly says:

      Hi, Thomas. Unfortunately, we don’t have information on the Mercury Browser at this time, but would generally recommend that you update your software to the latest version available in any case. Many software updates include important security patches — related and unrelated to malware threats — that are important to have.

      In terms of XcodeGhost, yes, removing the app means you’ve removed the infection as well. Hopefully this helps!

  18. Karla Hornung says:

    I have received two of your notices. I cannot find any of the apps on my iPhone or iPad, but I have noticed my iPads volume is suddenly louder and making a funny noise when I turn it off. What is going on?

    • Meghan Kelly says:

      Hi Karla, unfortunately this might simply be an issue with your device. I’d recommend contacting your carrier to see if they can help troubleshoot. Please also feel welcome to reach out to our support team support [at] lookout [dot] com and include the email address associated with your Lookout account.

  19. I have PDF reader but I have contacts being removed, tried to do a reset on my iPhone 4 operating on iOS 7 and there is a pass code I did not put in so I have been hacked and paying lookout plus just added mcafee mobile so wonder what went wrong and on the iPhone s 5 I just got to replace this one how am I to keep protected?

    • Meghan Kelly says:

      Hi Glenda, I’m not sure what’s going on here. Would you please reach out to our support team and include the email address associated with your Lookout account? support [at] lookout [dot] com

Leave a comment