Malware-Laced Xcode Tool Used to Infect iOS Apps

September 21, 2015

Malware that targets—and successfully infects—unmodified iOS devices are comparatively few and far between, with the few that does manage to create a stir usually affecting jailbroken phones. Simply put, when malware manages to get through Apple's App Store policies and curation process, it's a big deal. While the iOS ecosystem is comparatively considered "safer" in the sense that there are simply far more threats designed to target other mobile operating systems, it's not perfect, and some still manage to fall through the cracks.

Recently, there have been reports of Chinese apps hosted on the official App Store that were found to be infected with malware designed to steal information from iOS devices. Evidently, the apps were infected after being compiled using a spiked version of Xcode—Apple's official tool for developing iOS and Mac apps—which was uploaded to Chinese cloud file sharing site Baidu. The malicious copy of Xcode allowed a number of infected apps to pass through Apple's code review process, and could be installed into iOS devices, including unmodified (non-jailbroken) ones.

According to researchers from Palo Alto Networks, apps infected with the malware—since labeled as XcodeGhost and detected as IOS_XcodeGhost.A—collected information from devices that installed them before encrypting and uploading the data to the attackers' command and control servers. The infected iOS apps can also be sent commands to display a fake alert for phishing user credentials, hijack URLs, and use the device's clipboard to send the user's password if it was copied from a password manager.

While the apps were mostly developed for the Chinese market, some apps, such as WeChat (a messaging app) and CamCard (a business card scanner app) are available  on other regional App Stores outside China. More than 50 other apps that are known to have been infected are available outside China.

Apple has since issued a statement, saying that they've removed the apps known to have been created using the spiked version of Xcode. In the meantime, users should uninstall the infected iOS apps detailed in the list above until they've been updated, while developers are advised to install official versions of Xcode 7 or Xcode beta downloaded from Apple's site.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.