XcodeGhost: a new malware infecting many popular iOS apps

It looks like that a new malware has been discovered and it affects popular iOS apps and most of them is developed for China. The virus is called XcodeGhost and it collects information on the devices and uploads that data to remote servers.

One of the infected apps is the well-known instant messaging application known as WeChat has been infected with that virus.

Rather than exploit an iOS vulnerability, the malware in question sneaks its way into apps indirectly, by targeting Apple’s official compilers used to create legitimate apps. The malware was found to inject its malicious code into a Mach-O object file that was repackaged into some versions of Xcode, Apple’s official tool for developing iOS and OS X apps.

These Trojanized Xcode installers were then uploaded to Baidu’s cloud file sharing service used by Chinese app developers, explains Palo Alto Networks. The malicious code then inserts itself into any iOS app compiled with the infected Xcode without the developers’ knowledge.

It’s not Apple’s fault, really: this would have never happened had these developers downloaded Xcode files directly from Apple. Baidu has since removed all of the infected files from its servers and some of the infected apps have since removed the malware code in their latest builds.

XcodeGhost’s malicious code isn’t particularly harmful so this explains why it can pass the App Store screening process. Apps infected with XcodeGhost collect the following data from users’ devices:
  • Current time
  • Current infected app’s name
  • The app’s bundle identifier
  • Current device’s name and type
  • Current system’s language and country
  • Current device’s UUID
  • Network type
You've been warned !

But why on Earth would a legitimate iOS developer download the official Xcode files from a non-Apple source, you ask. Blame it on slow download speeds in China and in some other places around the world.

F0r M0re UpDaTing: Be 0ne 0f My New F0ll0wers 0n Twitter, 0ne 0f My New Fan 0n FaceB00k, And Here Is The Feeds.


blog comments powered by Disqus
Octofinder Blog Catalog