Security

Apple to offer local Xcode downloads in China, posts official XcodeGhost malware FAQ

Christian Zibreg ∙ September 23, 2015

The XcodeGhost malware couldn't have arrived at worst time for Apple as the company prepares to launch its iPhone 6s and iPhone 6s Plus tomorrow. The company has already removed the App Store apps infected by the malware, which has been found to inject its payload into apps compiled with compromised copies of Xcode that were distributed on non-Apple servers in China.

Wednesday, the Cupertino firm has confirmed plans to mitigate the threat by hosting local Xcode downloads within China. In addition, Apple has posted an XcodeGhost FAQ webpage on its Chinese website detailing the XcodeGhost malware and how customers might be affected by it.

Apple educates developers on validating Xcode downloads following XcodeGhost malware attack

Christian Zibreg ∙ September 22, 2015

A new type of attack called XcodeGhost is wreaking something of a mini-havoc in the App Store, injecting its malware payload into popular iPhone and iPad apps and prompting Apple to pull the infected apps.

The malware itself is pretty harmful—it collects and sends information about your device—but the method of spreading is cunning. Rather than target the App Store itself, attackers have distributed hacked versions of Xcode, Apple's tool required for iOS and OS X development.

As Xcode is a multi-gigabyte download, developers in countries like China where Internet speeds are slow have downloaded these modified Xcode builds from non-Apple sources without realizing a hacked Xcode injects malware when compiling apps.

This morning, Apple issued an email to developers providing an update on the XcodeGhost situation while laying out easy-to-follow instructions for checking if their Xcode copy has been tampered with.

Apple begins removing apps infected with the XcodeGhost malware

Jeff Benjamin ∙ September 20, 2015

Apple is fully aware of the recent malware attack on several of its App Store apps, according to an Apple rep that spoke with Reuters via email. It has begun removing all known apps that have been infected, and is working with developers affected by the breach.

XcodeGhost, as we told you about yesterday, is malware that is attached to several legitimate App Store apps. The apps were infected due to using an illegitimate version of Xcode, which was downloaded from a third-party server in China. Most of the infected apps are of Chinese origin, but there are a few apps impacted, WeChat to name one, that are popular in other territories.

iOS 9 allows access to photos and contacts on a passcode locked iPhone – here’s how to prevent it

Jeff Benjamin ∙ September 20, 2015

If you have an iPhone running iOS 9, you should be aware that it may be possible to access your photos and contacts on a locked device, even with a passcode and/or Touch ID enabled. I've always ignored reports on this sort of security flaw, because they always seem to pop up with every iOS iteration, and almost always require a user to jump through what seems like a million hoops.

But for some reason—call it boredom, or call it poor judgement—I got curious, and decided to try this out for myself. As it turns out, it's not that hard to do, and it certainly seems like a security flaw in iOS to me.

I debated on whether to post this, because obviously it's going to bring attention to a security flaw that might let people access information that they shouldn't be accessing.

For starters, please don't get bent out of shape over this. This does not expose any other contents of your iPhone outside of Contacts and Photos. People still can't unlock your device, read your messages, watch videos, etc. This only allows users to view your contacts, and look at your photos (not videos) through a limited interface. Photos cannot be forwarded or shared from your iPhone.

My hope is that a). this informs users that a passcode or Touch ID security isn't necessarily enough to keep unwanted eyes off your photos and contacts, and b). Apple will see this and provide a fix. c). show you how to prevent the issue.

The thing is, this information is already out there, and the people who will use it for the bad probably already know about it. Consider this post an attempt to educate those who do not know about this iOS 9 security hiccup. Hopefully, it'll allow users to make smarter decisions about their iPhone's security.

XcodeGhost: a new malware infecting many popular iOS apps

Christian Zibreg ∙ September 19, 2015

A few dozen iPhone and iPad applications, most of them developed for China, have been infected with XcodeGhost, a malware that collects information on the devices and uploads that data to remote servers.

Among them is WeChat, one of the most popular instant messaging applications in the world.

Rather than exploit an iOS vulnerability, the malware in question sneaks its way into apps indirectly, by targeting Apple's official compilers used to create legitimate apps. The malware was found to inject its malicious code into a Mach-O object file that was repackaged into some versions of Xcode, Apple’s official tool for developing iOS and OS X apps.

These Trojanized Xcode installers were then uploaded to Baidu’s cloud file sharing service used by Chinese app developers, explains Palo Alto Networks. The malicious code then inserts itself into any iOS app compiled with the infected Xcode without the developers’ knowledge.

It's not Apple's fault, really: this would have never happened had these developers downloaded Xcode files directly from Apple. Baidu has since removed all of the infected files from its servers and some of the infected apps have since removed the malware code in their latest builds.

iTunes 12.3 is out with support for iOS 9, El Capitan, two-factor Apple ID authentication and more

Christian Zibreg ∙ September 16, 2015

Following release of the free iOS 9 software update with new features and core OS enhancements for the iPhone, iPod touch and iPad, Apple on Wednesday also issued a matching update to iTunes for Mac and Windows PCs.

The new iTunes 12.3 introduces OS X El Capitan-friendly design while enabling support for Apple IDs protected with two-factor authentication and syncing with iPhone, iPod touch and iPad devices with iOS 9.

How to check to see if your iPhone is infected by the KeyRaider malware

Jeff Benjamin ∙ September 5, 2015

DylibSearch is a new jailbreak app that helps you quickly check to see if you have any known malicious tweaks, like KeyRaider, installed on your device. It does so by scanning the contents of the .dylib files contained in the filesystem's MobileSubstrate directory.

By checking for known strings contained in malicious files, DylibSearch can quickly tell you if your iPhone is infected, or if it has a clean bill of health. This open source tweak is available by means of a special third-party repo, which you'll find inside of this post.

How to protect yourself from malicious jailbreak tweaks

Jeff Benjamin ∙ Updated April 30, 2018

As you guys know, there was a pretty significant iCloud account attack reported recently, in which nearly a quarter of a million iCloud accounts were exposed to potential compromise. The number of accounts that were actually hacked is up for debate, but it was less than half of the reported 220,000~ or so iCloud accounts exposed.

Of course, many took this attack as an opportunity to lecture about the reasons why we shouldn't jailbreak. While such a lecture isn't necessarily ill-intentioned, I think that most people who jailbreak understand that there are some inherited risks associated with doing so.

It's not like accidentally downloading an infected app on your computer, or an ill-advised clicking on a shady email link. Those who jailbreak generally know that there are some security risks involved, at least partially. The problem is, many don't understand that there are effective ways to protect one's self.

How do you go about ensuring that you're as safe as possible while maintaining a jailbroken iPhone? The following steps will show you how.

New details emerge on recent iCloud breach of jailbroken iPhones

Jeff Benjamin ∙ Updated April 30, 2018

Two days ago, we told you about an attack on jailbroken iPhones that compromised the accounts of some 220,000 iCloud users. New details have since emerged about the breach, that confirm what we initially speculated in the post on Tuesday evening.

The vast majority, if not all of the accounts, were of Chinese origin. On Wednesday morning, I personally confirmed this with someone directly in the know about the attack.

To that extent, a website has been created for potential victims of the attack to see if their account was compromised. That website is in Chinese, further emphasizing the origin and the region that was affected by this recent breach.

In all, there are a whopping 105,275 valid iCloud accounts out of the 220,000 compromised. That means that nearly half of those accounts captured contain active username and password combinations.

As speculated, this was indeed the result of a jailbreak tweak, but it was also self-inflicted, meaning users installed both the repo and the tweak responsible for the intrusion.

Report: 220,000 iCloud accounts breached due to jailbreak tweak backdoor

Jeff Benjamin ∙ Updated April 30, 2018

It's a number that's bound to raise some eyebrows: 220,000 iCloud accounts breached in what is being called a backdoor attack made possible by a malicious jailbreak tweak.

This leak, which was brought to our attention by /r/jailbreak, was reported by a Chinese online vulnerability reporting platform called WooYun. It's an information security platform where security researchers report vulnerabilities and vendors give feedback. WooYun is a legit site, and it has reported thousands of security related issues in this month alone.

On a post on its website, WooYun details the nature of this particular attack, stating that 220,000 accounts have been compromised as a result of a malicious jailbreak tweak or plug-in. It also states that WooYun has notified vendors—presumably Apple—and are awaiting processing.

It's sure to make any jailbroken iPhone user take note, but before you get too alarmed, understand that this hack has nothing to do with Apple's security, and that there appears to be special circumstances in the case of this breach.

Apple releases OS X 10.10.5 with patch for DYLD bug and other fixes

Cody Lee ∙ August 13, 2015

In addition to iOS 8.4.1, Apple on Thursday also seeded OS X Yosemite 10.10.5, a free update for Macs. The release comes after two developer betas and a month of testing, and you can find it in the Updates tab of the Mac App Store.

Most notably, the update features a patch for the DYLD privilege escalation bug that was discovered earlier this month. Apple says in the release notes that the software includes fixes for both Mail and Photos apps, as well as QuickTime.

The next Mac security update will patch a serious privilege-escalation DYLD bug in OS X

Christian Zibreg ∙ August 5, 2015

A “privilege escalation” bug plaguing Apple's OS X desktop operating system will be patched in the next security update that the company is working on as we speak, a company spokesperson said today.

The Guardian newspaper reported that a fix for the dangerous zero-day vulnerability, known as DYLD, will be patched before OS X El Capitan releases for public consumption this fall.