| Researchers September 21, 2015


September 21, 2015

Updated: XcodeGhost iOS malware: The list of affected apps and what you should do

By David Richardson

IMG_4512
Researchers recently found a piece of iOS malware called XcodeGhost in a number of apps in the Apple App Store. The creator(s) of XcodeGhost were able to sneak the malicious code into these apps without the app developers’ knowledge. These unsuspecting apps include popular consumer apps like WeChat and CamCard, showcasing the potential for the XcodeGhost malware to impact potentially hundreds of millions of victims.
What is XcodeGhost?
XcodeGhost is a piece of malware that can steal data and potentially trick people into providing personally identifiable information. The creator(s) behind XcodeGhost were able to repackage a tool used by legitimate iOS and OSX developers to create apps. When those developers created their apps using this tampered-with tool, they unknowingly inserted malware into their apps, though the developers did need to knowingly disable some security checks in order to use this tool.
The malware made its way into a growing list of apps that were published live to the Apple App Store. Our understanding is that Apple is working to remove these apps from the App Store.
How might it affect me?
The malware removes information off the device like the device’s name, country, and unique identifiers. According to Palo Alto Networks, it may also have the ability to push dialogue boxes to your iPhone or iPad’s screen. Theoretically, a bad guy could use one of these dialogues to steal your username and password or other personal information.
The malware may also be able to open websites in your mobile browser, which could be used for a variety of malicious purposes again including phishing and installing other potentially malicious software.
Does Lookout protect me?
For our customers still running iOS 8 or under, we will detect apps running this malicious code and alert you to their presence.
Unfortunately due to limitations Apple has placed on apps on the iOS platform Lookout Mobile Security for consumers is not able to detect whether you have an infected app installed in iOS 9. Apple has made recent changes to iOS that make it more difficult for one app to understand which other apps are present on the device.  We are always looking for new ways to protect iOS devices from malware and hope to be able to improve our detection capabilities in the future.
In the meantime, we recommend users:
  • For anyone that has one of the apps listed below — update them if an update is available, or delete them immediately and wait until the developer releases a new version with the malicious code removed.
  • If one of these apps is running on your device, we also recommend that you change your Apple ID password and be wary of any suspicious emails or push notifications to your device asking for personal information.
  • In general, be wary of apps pushing dialogue boxes to your screen asking for personal information without first being aware of who is asking for it
  • If you have used your Apple ID password on any other accounts, you should change the password for those accounts, too.
What are the apps?
We are actively adding apps to the list below that Lookout has independently confirmed to be affected by XcodeGhost. This list is not exhaustive and we will be maintaining it below, including information on whether it has been patched and what you should do.
To check if a developer has pushed an update to the app, go to the Apple App Store on your device, navigate to that app, and look for an “Update” button. If you are running the latest version of an app this button will say “Open” instead of  “Update.”
铁路12306铁路12306
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.11
 
同花顺同花顺
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 9.62.01
 
同花顺HD同花顺HD
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 5.84.01
 
疯狂的宠物-史上第一宠物,宠物逃跑冒险捕捉大作战游戏疯狂的宠物-史上第一宠物,宠物逃跑冒险捕捉大作战游戏
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.3.9
 
Crazy Fishing Saga-use different kinds of weapon to catch many fishesCrazy Fishing Saga
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.1.5
 
Crazy Fish 2- 100 levels of funny fishing gameCrazy Fish 2- 100 levels of funny fishing game
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.1.8
 
pop owls-crazy pop super star gamepop owls-crazy pop super star game
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.0.8
 
Candy Crazy Fish - running fishes VS magic weaponsCandy Crazy Fish - running fishes VS magic weapons
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.0.7
 
Sea DiamondSea Diamond - Crazy diamond stars pop crush game
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.0.6
 
Fishing AresFishing Ares-Enjoy fish joy and pass 100 levels
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.0.3
 
Pet ForestPet Forest-crazy pop style puzzle game
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.0.7
 
Multi-Attach MailMulti-Attach Mail - Multiple Attachments Solutions
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.4
 
CamCard BizCamCard Business
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.8.2
 
CamScanner FreeCamScanner Free| PDF Document Scanner and OCR
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.8.2
 
CamScanner ProCamScanner +| PDF Document Scanner and OCR
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.8.2
 
CamScanner Pro (1)Cam Scanner Pro
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.8.2
 
WeChatWeChat
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 6.2.6
 
WinZipWinZip - The leading zip unzip and cloud file management tool
  • Action: Update to the latest version
  • Current Status: Patched
  • Last version checked: 4.3
 
网易云音乐网易云音乐-好口碑,电台FM歌曲下载必备
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.9.0
 
OPlayerHDLiteOPlayerHD Lite
  • Action: Update to latest version
  • Current status: Patched
  • Last version checked: 2.1.03
 
网易公开课网易公开课 - 教育视频平台、名校名师名课、TED演讲、优质纪录片
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 4.2.9
 
手机营业厅中国联通手机营业厅(官方版)
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.3
  愤怒的小鸟2愤怒的小鸟2-李易峰至爱手游
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.2.1
  BitBox 音乐播放器BitBox 音乐播放器
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.0.1
 
GNum - Connecting The World To YouGNum - Connecting The World To You
  • Action: Update to the latest version
  • Current Status: Patched
  • Last version checked: 5.0.100000621
 
Wallpapers10000+ Wallpapers for iOS 8, iOS 7, iPhone, iPod and iPad
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.7
 
喜马拉雅FM喜马拉雅FM(Podcasts)儿童故事评书股票财经郎眼radio
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 4.3.20
 
Eyepetizer开眼 - 精选视频推介,每天大开眼界
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.8.1
 
股市热点股市热点
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.41.01
 
懒人周末 - 每个周末都是惊喜懒人周末 - 每个周末都是惊喜
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.3.1
 
LifeSmartLifeSmart
  • Action: Updated to latest version
  • Current status: Patched
  • Last version checked: 1.0.46
  Excavator Stunt 2015Excavator Stunt 2015
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.1.2
 
Little Miss Party Girls - Music Festival SalonLittle Miss Party Girls - Music Festival Salon
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.2
  Celebrity Fashion Stylist Salon™Celebrity Fashion Stylist Salon
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.1
 
电话归属地助手电话号码归属地助手
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.6.6
 
夫妻床头话-两性资讯交友社区情趣体验私密话题夫妻床头话-两性资讯交友社区情趣体验私密话题
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.1
 
Maya - Mysterious Realm Free Slots Vegas CasinoMaya Mysterious Realm Free Slots Vegas Casino
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.1
 
Beauty Salon MonsterBeauty Salon Monster Girls Makeover
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.5
 
FoscamFoscam
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.5.0
 
自由之战自由之战-真·5V5(第一MOBA手游)
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 1.1.1
 
Device Tracker for iPhone & iPadDevice Tracker for iPhone iPad
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 2.0
 
Free Calls & Text by Mo+, Free Local and International Phone Calling and Messaging AppFree Calls Text by MoPlus Free Local and International Phone Calling and Messaging App
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.0.1
 
MyChevyMyChevy - By Shanghai Wangfan Information Trans Co., Ltd.
  • Action: Update to latest version
  • Current Status: Patched
  • Last version checked: 3.2
 
爱推爱推
  • Action: Uninstall immediately
  • Current Status: Still malicious
  • Last version checked: 1.1.5
 
Magic Likes & Liker for Instagram - Get More Free Instagram Likes & FollowersMagic Likes Liker for Instagram Get More Free Instagram Likes Followers
  • Action: Uninstall immediately
  • Current Status: Still malicious
  • Last version checked: 1.0.4
 
Crazy Bubble OLCrazy Bubble OL
  • Action: Uninstall immediately
  • Current Status: Still malicious
  • Last version checked: 1.2.00
 
Parking 3DParking 3D
  • Action: Uninstall immediately
  • Current Status: Still malicious
  • Last version checked: 5.3.1
  Other companies have suggested that there are hundreds to thousands of apps that may be affected. We are working to independently confirm these apps are malicious:
  • 网易云音乐
  • 微信
  • 讯飞输入法
  • 滴滴出行
  • 滴滴打车
  • 铁路12306
  • 下厨房
  • 51卡保险箱
  • 中信银行动卡空间
  • 中国联通手机营业厅
  • 高德地图
  • 简书
  • 开眼
  • Lifesmart
  • 网易公开课
  • 马拉马拉
  • 药给力
  • 喜马拉雅
  • 口袋记账
  • 同花顺
  • 快速问医生
  • 懒人周末
  • 微博相机
  • 豆瓣阅读
  • CamCard
  • SegmentFault
  • 炒股公开课
  • 股市热点
  • 新三板
  • 滴滴司机
  • OPlayer
  • 电话归属地助手
  • 愤怒的小鸟2
  • 夫妻床头话
  • 穷游
  • 我叫MT
  • 我叫MT 2
  • 自由之战
  • Mercury
  • WinZip
  • Musical.ly
  • PDFReader
  • guaji_gangtai en
  • Perfect365
  • 网易云音乐
  • PDFReader Free
  • WhiteTile
  • IHexin
  • WinZip Standard
  • MoreLikers2
  • MobileTicket
  • iVMS-4500
  • OPlayer Lite
  • QYER
  • golfsense
  • 同花顺
  • installer
  • 下厨房
  • golfsensehd
  • Wallpapers10000
  • CSMBP-AppStore
  • 礼包助手
  • MSL108
  • ChinaUnicom3.x
  • TinyDeal.com
  • snapgrab copy
  • iOBD2
  • PocketScanner
  • CuteCUT
  • AmHexinForPad
  • SuperJewelsQuest2
  • air2
  • InstaFollower
  • baba
  • WeLoop
  • DataMonitor
  • 爱推
  • MSL070
  • nice dev
  • immtdchs
  • OPlayer
  • FlappyCircle
  • 高德地图
  • BiaoQingBao
  • SaveSnap
  • Guitar Master
  • jin
  • WinZip Sector
  • Quick Save
 

Author

David Richardson,
Director, Product Management

Leave a comment

Submit


94 comments


Glenda Isbell says:

May 27, 2016 at 12:41 pm

I have PDF reader but I have contacts being removed, tried to do a reset on my iPhone 4 operating on iOS 7 and there is a pass code I did not put in so I have been hacked and paying lookout plus just added mcafee mobile so wonder what went wrong and on the iPhone s 5 I just got to replace this one how am I to keep protected?


Meghan Kelly says:

June 06, 2016 at 9:52 am

Hi Glenda, I'm not sure what's going on here. Would you please reach out to our support team and include the email address associated with your Lookout account? support [at] lookout [dot] com


Karla Hornung says:

January 23, 2016 at 7:42 pm

I have received two of your notices. I cannot find any of the apps on my iPhone or iPad, but I have noticed my iPads volume is suddenly louder and making a funny noise when I turn it off. What is going on?


Meghan Kelly says:

January 25, 2016 at 10:42 am

Hi Karla, unfortunately this might simply be an issue with your device. I'd recommend contacting your carrier to see if they can help troubleshoot. Please also feel welcome to reach out to our support team support [at] lookout [dot] com and include the email address associated with your Lookout account.


Thomas says:

January 19, 2016 at 10:48 am

I have Mercury on my iPad, older version, and have had oPlayer on my iPad too, since removed. Can you tell me if the older version of Mercury Browser v7.4.1 also has this malware? I'm still using it, from several years a ago. Also, are you sure if the Malware App is removed, that no remnants of the infection were not left-behind?


Meghan Kelly says:

February 03, 2016 at 4:12 pm

Hi, Thomas. Unfortunately, we don't have information on the Mercury Browser at this time, but would generally recommend that you update your software to the latest version available in any case. Many software updates include important security patches -- related and unrelated to malware threats -- that are important to have. In terms of XcodeGhost, yes, removing the app means you've removed the infection as well. Hopefully this helps!


sunshine girl says:

January 08, 2016 at 10:23 pm

I keep getting an email notice about this but I'm not sure what to do. I don't have any of the listed apps on any of my devices. I have triple checked. Is there something else I need to check?


Meghan Kelly says:

January 11, 2016 at 9:47 am

Hi there, if you encounter Brain Test we will alert you on your device with specific instructions regarding the offending app. Are you receiving an email regarding Brain Test? Please feel free to reach out to our support team directly and include the email address associated with your Lookout account! support [at] lookout [dot] com


Karl says:

November 25, 2015 at 3:52 pm

What if I had the app on both my devices when the xghost was on the app but have synced removed the apps? I had the winzip app on both my iPad and iPhone. My iPhone's auto brightness setting messes up sometimes and makes my phone do stuff. Since your app can't detect things now how do I know if I have the malware on my iPhone?


Meghan Kelly says:

December 04, 2015 at 3:04 pm

Hi Karl, if you've removed the app from your devices, you should be fine. Alternatively, if the developer has updated the app to remove the malware, you could reinstall or update the app to get the clean version.


+ Load more comments