App Store contained dozens of apps infected by Xcode malware

Spread the love

After using a malicious Xcode version, developers have placed infected apps in Apple’s App Store that steal system data. The attack potentially affected millions of Chinese users, but apps used outside of China were also infected.

Security firm Palo Alto Networks posted an analysis of XcodeGhost on its website last week after Chinese experts warned about the malware last week. Apple has confirmed the attack and told Reuters that it has removed the compromised apps from the App Store and is working with developers to ensure they are using the correct Xcode version.

Attackers were able to spread the malicious XcodeGhost malware through a modified version of the Xcode ide, which was available for download via Baidu’s download service. That version, which appeared with version numbers from 6.1 to 6.4, had a CoreServices component added: a mach-o file used by the llvm compiler. Because developers can sometimes download faster through Baidu than through Apple’s servers, some choose to download the Xcode code through this unofficial route. They then compiled their apps with the modified Xcode version and put it on the App Store, apparently not ringing the alarm bells at the control.

In partnership with Fox-IT, Palo Alto Networks identified more than 50 apps that were infected. These included instant messaging, internet banking, stock trading, navigation and gaming apps. Some apps were particularly popular in China, such as chat app WeChat, which has hundreds of millions of users. Apps that were popular outside of China, such as CamCard and WinZip, were also affected. Both companies have published a list of affected apps.

The malware-infected iOS apps intercept system information such as the language setting, name and uuid of iPhones and iPads, and network type. The data was sent through the criminals’ command-and-control servers. The attackers could then send notifications to smartphones and tablets to steal user data, hijack URLs and read users’ clipboards.

Developers are advised to download Xcode 7 or Xcode 7.1 beta from Apple’s site, and users should uninstall the apps from that list and reset their passwords.

Update, 13.55: Palo Alto Networks servers are down at the time of writing, but the list of compromised apps can be found here.

You might also like