Apple lists top 25 apps infected by XcodeGhost

XcodeGhost apps

Apple today refreshed its official XcodeGhost FAQ webpage, listing the top 25 iPhone and iPad apps on the App Store that contain the widely reported though mostly harmless XcodeGhost malware.

In addition to WeChat, one of the top messaging apps in the world, Rovio’s Angry Birds 2 and China Unicom’s Customer Service app, most of the listed apps are distributed on the Chinese App Store only.

“If users have one of these apps, they should update the affected app which will fix the issue on the user’s device,” writes the company. “If the app is available on App Store, it has been updated, if it isn’t available it should be updated very soon.”

Apple has pulled many of the infected apps and said it’s working closely with developers to get impacted apps back on the App Store.

The Cupertino firm underscores that after the top 25 impacted apps, the number of impacted users “drops significantly“.

The full list of the top 25 apps affected by XcodeGhost is as follows:

  • WeChat
  • DiDi Taxi
  • 58 Classified – Job, Used Cars, Rent
  • Gaode Map – Driving and Public Transportation
  • Railroad 12306
  • Flush
  • China Unicom Customer Service (Official Version)
  • CarrotFantasy 2: Daily Battle
  • Miraculous Warmth
  • Call Me MT 2 – Multi-server version
  • Angry Bird 2 – Yifeng Li’s Favorite
  • Baidu Music – A Music Player that has Downloads, Ringtones, Music Videos, Radio, and Karaoke
  • DuoDuo Ringtone
  • NetEase Music – An Essential for Radio and Song Download
  • Foreign Harbor – The Hottest Platform for Oversea Shopping
  • Battle of Freedom (The MOBA mobile game)
  • One Piece – Embark (Officially Authorized)
  • Let’s Cook – Recipes
    Heroes of Order & Chaos – Multiplayer Online Game
  • Dark Dawn – Under the Icing City (the first mobile game sponsored by Fan BingBing)
  • I Like Being With You
  • Himalaya FM (Audio Book Community)
  • CarrotFantasy
  • Flush HD
  • Encounter – Local Chatting Tool

Some of these apps are no longer on the App Store while others, like WeChat, are available as their developers have issued timely updates that get rid of the malware.

“After the top 25 impacted apps, the number of impacted users drops significantly,” says Apple. Of course, these are just the top 25 apps that contain the malware as there are undoubtedly many more lesser known apps infected by XcodeGhost.

Estimates by independent researchers like FireEye Labs and SourceDNA range from 1,000 to more than 4,000 App Store apps containing the malware.

“As of September 21, 2015, we found 28 percent of apps that contain XcodeGhost are still live,” SourceDNA writes. “We also found that 40 percent of apps that had it are still unavailable, while 32 percent have been fixed and re-released.”

XcodeGhost uses a rogue version of Apple’s Xcode tool for iOS and OS X development to inject its payload into apps. Developers in countries like China have downloaded these infected Xcode builds from China’s Baidu servers because multi-gigabyte Xcode downloads from the Mac App Store initiated within China are slow.

“Sometimes developers search for our tools on other, non-Apple sites in an effort to find faster downloads of developer tools,” Apple explains

Apple has since provided instructions for developers to check if their Xcode copy has been tampered with and has promised to soon offer local Xcode downloads in China in order to minimize exposure to the malware.

“We’re working to make it faster for developers in China to download Xcode betas,” said the firm.

Trojanized apps have been found to send usage data collected from infected devices to the cloud much like many advertising networks do. XcodeGhost can also pop up a custom alert box, but not accept input from the user.

However, the malware is capable of opening arbitrary URLs, which can be a problem as these URLs can contain phishing webpages for stealing credentials for services like Apple ID, Facebook, eBay, PayPal and more, or forward users to an enterprise-signed malicious app that can be installed on non-jailbroken devices.

Source: Apple