Apple iOS App Store riddled with malware -- XcodeGhost haunts hundreds of apps [u3]

DISASTER: Sky falling. Apple failing. Users fainting. [You're fired -Ed.]

Apple iOS XcodeGhost App Store malware
Credit: Lam Eason (cc:by)

Apple iOS App Store suffers major malware attack: Dubbed XcodeGhost, the malware has been found in more than 300 popular apps so far.

Although Chinese hackers are blamed, many apps used in the U.S. were infected. Including Mercury, CamCard, and musical.ly.

So much for iOS's vaunted security. It sounds like Apple's App Store guardians were incapable of scanning for modified static libraries.

In IT Blogwatch, bloggers furiously eyeroll. Not to mention: The most ridiculous thing Tom has built in a long while...

curated these bloggy bits for your entertainment.
[Developing story: Updated 7:54 am, 10:23 am and 3:58 pm PT with more comment]


Jim Finkle and Scott DiSavino report there's a problem:

Apple Inc said on Sunday it is cleaning up its iOS App Store to remove malicious iPhone and iPad programs...after several cyber security firms reported finding [malware] dubbed XcodeGhost...in hundreds of legitimate apps.

Chinese security firm Qihoo360...uncovered 344 apps tainted with XcodeGhost.  MORE


Dave Lee and anonymous Aunty scribblers speak peace unto nation:

It is thought to be the first large-scale attack on Apple's App Store. ... Some of the affected apps - including the business card scanner CamCard - are also available outside China. ... An Apple spokeswoman said..."We are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps."

[It's] surprising, as it looks like two groups of supposedly informed people have been caught out. Firstly developers...were duped into using counterfeit software to build their apps. ... Secondly, Apple's quality testers, who generally do a very good job in keeping out nasties.  MORE


So Claud Xiao updates us:

In the first report, we noted that the malicious code uploads device information and app information to its command and control (C2) server. But that isn’t all it does.

[It's also] capable of receiving commands from the attacker [to] prompt a fake alert dialog to phish user credentials; hijack opening specific URLs...which could allow for exploitation of vulnerabilities; [and] read and write data in the user’s clipboard. ... Additionally, according to one developer’s report, XcodeGhost has already launched phishing attacks [for] iCloud passwords.

XcodeGhost is a very harmful and dangerous malware that has bypassed Apple’s code review and made unprecedented attacks. ... We believe that stealing passwords or potentially exploiting vulnerabilities in iOS and in legitimate applications may be the true purpose of XcodeGhost.  MORE


But Sasparilla isn't surprised it happened:

Documents released by Snowden pointed out the CIA (in cahoots with the NSA?) had been attempting to compromise Xcode.

Once you compromise the compiler its game over.  MORE


Yeah, but why did devs fall for it? Benjamin "egg" Mayo spreads the background:

Developers were inadvertently submitting malware by using counterfeit versions of Xcode, Apple’s development software. ... The hackers somehow convinced developers to use its version of the Xcode tools rather than Apple’s official software.

One theory is that Apple’s servers are slow to download from in China, so developers used this alternative ‘mirror’ (unaware of its true credibility).  MORE


Slow? ORLY? Luc Momal explains:

XCode, and everything Apple, takes forever to download.

It's faster to download the CentOS "Everything ISO" (7GB) from [an] ftp mirror in Egypt than to get XCode (3GB) from the global network of the wealthiest company in the world.  MORE


Update 1: Scott Cendrowski lays the blame at China's great firewall:

[It] keeps users inside the country from accessing Facebook, the New York Times, and other sites banned because they pose some threat...to the ruling Communist Party. [It] might be at least partly to blame.

China’s tight Internet controls appear to have backfired, for once very publicly, putting the country’s own tech champions at risk.  MORE


And it seems Cendrowski says that based on this analysis by Samuel Wade:

Xcode is usually obtained directly from Apple...but because large cross-border downloads can be slow and unreliable in China, in large part because of the government’s Internet controls, many users there turn to potentially unsafe unofficial sources.  MORE


Update 2: Sarah Perez notes that that devs may not have been paying attention:

To even install this [infected] version of the Xcode software, developers had to ignore a warning which indicated the software was damaged and should be moved to the trash.

In other words, Apple’s Gatekeeper technology, which prevents non-App Store and unsigned versions...from being installed, was doing its job. Developers, however, ultimately chose to ignore the warnings. ... Then, when [they] used this version of Xcode to code their apps, their apps would then become infected with the malware.

It’s unclear at this time how many users may have actually downloaded the malware-laden apps...and how these users will be notified to upgrade. ... Years ago, Apple founder and CEO Steve Jobs confirmed that Apple did, in fact, have a “kill switch” of sorts to remove apps from users’ devices. ... We wonder if Apple will indeed proceed to use this mechanism.  MORE


Update 3: But iOS is still more secure than Android, right? Paul Qureshi disagrees:

So far there is no evidence that the Apple way works any better than the Google way. Google scans all apps for malicious code, the same way that Apple does. You don't think that Apple employs people to decompile and check app manually, do you? If a human is involved at all, they are just there to make sure that the UI and content meet the Apple standards. Most apps don't appear to be human reviewed at all, or if they are the humans pay little attention and allow apps with zero functionality, or which clearly contravene the rules (e.g. there is a Playboy app, despite the prohibition on porn).

The idea that Android is somehow riddled with malware is nonsense. Where are the vast botnets that would exist if it were? The Play store seems to be just as safe as the Apple app store, from a user's perspective.  MORE


And Finally...
Tom Scott says, "This is the most ridiculous thing I've built in a long while."
It's a full-size, real-life emoji keyboard, with more than 1,000 keys.


You have been reading IT Blogwatch by , who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or itbw@richi.uk.  Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies