XcodeGhost: a new malware infecting many popular iOS apps


A few dozen iPhone and iPad applications, most of them developed for China, have been infected with XcodeGhost, a malware that collects information on the devices and uploads that data to remote servers.

Among them is WeChat, one of the most popular instant messaging applications in the world.

Rather than exploit an iOS vulnerability, the malware in question sneaks its way into apps indirectly, by targeting Apple’s official compilers used to create legitimate apps. The malware was found to inject its malicious code into a Mach-O object file that was repackaged into some versions of Xcode, Apple’s official tool for developing iOS and OS X apps.

These Trojanized Xcode installers were then uploaded to Baidu’s cloud file sharing service used by Chinese app developers, explains Palo Alto Networks. The malicious code then inserts itself into any iOS app compiled with the infected Xcode without the developers’ knowledge.

It’s not Apple’s fault, really: this would have never happened had these developers downloaded Xcode files directly from Apple. Baidu has since removed all of the infected files from its servers and some of the infected apps have since removed the malware code in their latest builds.

This is the sixth malware that has made it through to the official App Store after LBTM, InstaStock, FindAndCall, Jekyll and FakeTor.

XcodeGhost’s malicious code isn’t particularly harmful so this explains why it can pass the App Store screening process. Apps infected with XcodeGhost collect the following data from users’ devices:

  • Current time
  • Current infected app’s name
  • The app’s bundle identifier
  • Current device’s name and type
  • Current system’s language and country
  • Current device’s UUID
  • Network type

But why on Earth would a legitimate iOS developer download the official Xcode files from a non-Apple source, you ask. Blame it on slow download speeds in China and in some other places around the world.

“Sometimes network speeds are very slow when downloading large files from Apple’s servers,” Palo Alto Networks explains. “As the standard Xcode installer is nearly 3GB, some Chinese developers choose to download the package from other sources or get copies from colleagues.”

In addition, attackers do not need to trick developers into downloading untrusted Xcode packages. Instead, they can “write an OS X malware that directly drops a malicious object file in the Xcode directory without any special permission.”

While WeChat 6.2.5 has been verified to be infected, its developer has since bumped the app to version 6.2.6, removing the malicious code.

All told, the publication has identified as many as 39 popular iOS apps as being infected, “some of which are extremely popular in China and in other countries around the world, comprising hundreds of millions users.”

Trojanized apps range from instant messaging software, banking and carrier apps, mapping programs, stock trading apps and games. With the exception of WeChat, most, if not all of the infected apps are made for China, including Didi Chuxing, Railway 12306, Tonghuashun and China Unicom Mobile Office, the official app of the biggest mobile carrier in China, China Mobile.

Some are also available from the App Store in other countries, such as CamCard, a business card reader and scanner.

Again, this type of malware seems to be mostly targeting apps developed for the Chinese market. But as certain apps written by Chinese developers gain in popularity around the world (we’re looking at you, WeChat!), iPhone and iPad users should be aware of this new type of malware infection, even if there’s nothing they can do about it.

Developers should ensure to download Xcode directly from Apple and avoid using Xcode builds downloaded from third-party sources that may have been infected by this malware. As an additional precaution, developers should regularly check their installed Xcode’s code signing integrity to prevent Xcode from being modified by other OS X malware.

Source: Palo Alto Networks