| Researchers September 20, 2015


September 20, 2015

Hundreds of millions of devices potentially affected by first major iOS malware outbreak

By Aaron Cockerill

XcodeGhost is the latest example that iOS devices, indeed any device, can be subject to attack and that even a highly-curated app store can contain malicious apps.
Lookout Mobile Threat Protection customers are already protected from this malware and do not need to take any further action. For customers using our consumer mobile security solution more information is available here.
XcodeGhost is malicious code inserted into iOS apps using a tampered version of Apple’s Xcode that steals data from iOS devices. The malicious code stealthily made its way into over a number of applications in the Apple App Store without the developers of those apps knowing. Indeed, it’s the largest attack on the App Store we’ve seen to date.
Chinese iOS developers discovered the malware, and it was further researched by Palo Alto Networks. The malicious code may have hundreds of millions of victims and is present in well-known apps such as WeChat, a globally-popular messaging app with over 600 million active users, 100 million of which are outside of the U.S.; and CamCard, a Chinese-created business card reader, that has gained global popularity.
The story is clear for both enterprises and individual users of the iOS platform: there is an increasing amount of data accessible through mobile devices and malicious actors are getting more sophisticated in their attack approach.
How did malware make it into the App Store?
XcodeGhost is an example of compiler malware. Instead of trying to create a malicious app and get it approved in the App Store, XcodeGhost’s creator(s) targeted Apple’s legitimate iOS/OSX app development tool called Xcode to distribute the malicious code in legitimate apps.
XcodeGhost’s creators repackaged Xcode installers with the malicious code and published links to the installer on many popular forums for iOS/OS X developers. Developers were enticed into downloading this tampered version of Xcode because it would download much faster in China than the official version of Xcode from Apple’s Mac App Store. When the developers installed what they thought was a safe Apple dev tool, they actually got a tampered version that would compile the malicious code alongside their actual app’s code.
These developers, unaware that their apps had been tampered with, then submitted those apps to the App Store for distribution to iOS devices.
What does it do?
Once a victim installs and launches apps packaged with this malicious code, the code will steal a number of pieces of information about the device, according to Palo Alto Networks, including:
  • Name of the infected app
  • App bundle identifier
  • Device’s name and type
  • Network information
  • Device’s “identifierForVendor”
It then encrypts this data and sends it back to a command and control (C&C) server.
Lookout is working to independently confirm claims that the malicious code can receive commands from its C&C to open specified URLS and send dialogue prompts to the victim’s screen, allegedly in an attempt to phish data, such as the victim’s Apple ID credentials.
What does this mean?
There are no perfect systems. While Apple has traditionally done an excellent job of keeping malware out of its App Store, malicious actors are always looking for new ways to break through. This is especially true as Apple’s iOS products continue to make headway in marketshare and are used by people and within organizations that may be targeted for attack.
XcodeGhost unfortunately shows that where there’s a will, there’s a way. Bad guys will always look toward potentially lucrative platforms and it’s safe to say iOS, with its popularity and security-reputation, is a target.
What should I do?
Enterprises need to know what kinds of risky and malicious apps are running on their networks to ensure that new threats to any platform are being surfaced and mitigated quickly. Ensuring that you or your employees only download apps from official app marketplaces like the App Store and Google Play are great places to start, despite the fact that malware does slip into them. These stores vet their apps much more heavily and are held to standards third-party app stores aren’t. The reality that no store is perfect, however, must highlight the need for another line of defense in the system.
Customers using our consumer app can read further tips and access a list of the affected apps here. This blog may be a good resource for enterprises to send out to employees. If you feel you may have phished by a threat like this we recommend changing your Apple account password immediately as well as any other account for which you used that password.

Author

Aaron Cockerill,
Chief Strategy Officer

Leave a comment

Submit


5 comments


Ranvir says:

June 10, 2016 at 7:57 pm

This is a very useful information for both of app owners and app developers. I have found this post very useful for me to take miracle in my future in app development profession. thanks for providing this informative post.


Ranvir says:

May 15, 2016 at 11:29 pm

Some apps brings lots of virus in phones. I have downloaded punjabi status app. due to this my phone always gets hang. can you advise me that how to get rid of this problem without deleting this app?


Meghan Kelly says:

May 20, 2016 at 3:30 pm

Hi Ranvir, please feel free to reach out to our support team! support [at] lookout [dot] com


Mike Brin says:

September 23, 2015 at 3:40 am

Very sad to know this, Even my phone has been affected by this virus. Basically I have installed 'we chat' app and it is affected with XcodeGhost. During iOS app development, we should take care with some security and all. Can you please let me know the important tips to secure mobile apps specially the iOS Apps now :p .


Allie says:

September 21, 2015 at 8:10 pm

Typo under what does this mean. *actors maybe it's supposed to be hackers


JohnB says:

September 21, 2015 at 2:41 am

Does the lookout app detect apps compiled with XcodeGhost?


Meghan Kelly says:

September 21, 2015 at 1:57 pm

Hi John, our enterprise product Mobile Threat Protection does detect these apps, however, there are nuances associated with our consumer product. See our blog for an explanation, tips, and a list of the affected apps here: https://blog.lookout.com/blog/2015/09/21/xcodeghost-apps/