Over the past week Chinese developers have discovered and reported on iOS malware; which has since been confirmed by US-based security firm, Palo Alto Networks. The malicious code was able to get into the App Store through a comprised version of Xcode and has subsequently been dubbed XcodeGhost. Xcode is Apple’s official developer tool for iOS (and related) apps.
The compromised version of Xcode was found hosted on popular Chinese developer websites. It is common in China, and other countries, to download developer tools from non-official sources due to the slower speeds when accessing Apple servers from these locations. The malware was placed within a framework included with this modified version of Xcode; then when a developer would compile their iOS app the malicious framework would be bundled along with it.
So far, 39 apps have been found in the App Store which have been compiled using this malicious version of Xcode and subsequently bypassed Apple’s strict review process. The infected apps are from a range of categories including banking, maps, stock trading and games. Some of the more popular apps include WeChat (Social Networking) and Didi Chuxing (Chinese Uber equivalent). A complete listing is available on Palo Alto Networks blog.
The infected apps have a range of capabilities that include:
- Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps;
- Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.
So, what can you do? If you’re a user of any of the affected apps, remove them. Following removal, keep an eye out for further updates from official sources. And if you’re a developer, only download Xcode and other developer tools directly from Apple.
There are numerous security firms in contact with Apple and while the company is yet to release an official statement, we can presume a solution is in the works. Maybe it’s a good time to try out that app kill switch?
Update: In a new blog posting, Palo Alto Networks have corrected their initial posting and stated that XcodeGhost does not currently have the ability to phish passwords; however, it would be trivial to add this ability.
Source: Palto Alto Networks