iOS XcodeGhost malware FAQ: Am I affected by App Store exploit?

Reporting by Jon Mundy and Sean Keach

Apple has acknowledged that its iOS App Store has been breached by malware, and has taken decisive steps to eradicate it.

A statement has been provided to TrustedReviews by Apple, which reads as follows:

“Apple takes security very seriously and iOS is designed to be reliable and secure from the moment you turn on your device. We offer developers the industry’s most advanced tools to create great apps. A fake version of one of these tools was posted by untrusted sources which may compromise user security from apps that are created with this counterfeit tool. To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software and we are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”

Here are the key questions answered.

What happened?

The XcodeGhost malware has worked its way into a number of apps on the App Store, making it the first major attack on the store.

The breach was discovered by several cyber security companies, who found that the malicious XcodeGhost program has embedded itself in hundreds of genuine apps.

How did the breach happen?

XcodeGhost’s developers managed to
bypass Apple’s stringent app approval measures by convincing developers
to use a modified version of Apple’s Xcode software.

Hackers had
uploaded altered versions of Xcode to a Chinese cloud storage service.
Attackers then posted download links to the software on Chinese
development forums.

Xcode 7 (via Apple)

“In China – and in other places around the
world – sometimes network speeds are very slow when downloading large
files from Apple’s services,” explains cybersecurity firm Palo Alta
Networks, in a blog post.

It continues: “As the standard Xcode
installer is nearly three gigabytes, some Chinese developers choose to
download the package from other sources.”

An Apple spokesperson also provided TrustedReviews with this information: “In addition to downloading counterfeit versions of Xcode, many developers also disabled Gatekeeper on their Macs.”

Gatekeeper is a feature used to flag malicious software embedded in applications, and developers removing this would certainly have helped to facilitate this breach.

It’s also worth noting that while iOS is genuinely thought of as secure, a breach can have serious implications due to the lack of anti-malware software available on the platform.

“While the majority of mobile malware targets victims running Android, this incident highlights the fact that iOS isn’t immune to malware,” a Kaspersky spokesperson explains to TrustedReviews.

The spokesperson continues: “Apple’s ‘walled garden’ approach does make it harder for cybercriminals to compromise apps, but if something does slip through the net, as in this case, there’s no protection available because Apple doesn’t provide third-party developers with the means to develop anti-malware protection for iOS.”

What does XcodeGhost do and how serious is this?

It seems the malware itself has limited functionality, with no evidence of data theft or wider harm having been discovered, but there are dangers all the same.

The way in which XcodeGhost managed to work its way into Apple’s famously secure App Store opens up a new avenue of attack for hackers.

It’s also not yet clear the extent to which a customer’s security may be compromised by XcodeGhost.

However, we do know what sort of information can be collected by XcodeGhost:

• Current time
• Infected app name
• App’s bundle identifier
• Device name and type
• Language and country of device
• Device UUID
• Network type

XcodeGhost also has a number of actions it can perform:

• Send fake alert dialogs
• Hi-jack opening URLs
• Read/write data to clipboard

These actions could have very serious implications if a nefarious third party acted on them.

For instance, fake dialogs could trick a user into handing over false information. It could also act as ransomware, extorting cash from a user.

Also, the fact that the app can read from the clipboard means that if you copy and paste your passwords, they could be compromised very easily.

Which apps were affected?

Security firm Qihoo360 Technology, writing on its blog, reveals that it has found 344 apps affected by XcodeGhost.

Perhaps the biggest developer to fall for this approach has been China’s Tencent, whose infected WeChat app is used by some 600 million people.

The company insists that it was an older version of the app that was infected, and that the current version is clean.

Other infected applications include NetEase’s music app, Didi Kuaidi’s car-hailing app, WinZip, Railway 12306, China Unicom Mobile Office, Tonghuashun, and the CamCard business card scanner.

Apple has not yet revealed how many apps have been affected by the breach.

Please note than any device – iPhone, iPad, iPod Touch – running an app-compatible version of iOS can be affected. Non-jailbroken devices can also be affected.

What is Apple doing about it?

Apple itself has acknowledged and responded to this unprecedented attack on its App Store.

“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple spokeswoman Christine Monaghan told Reuters.

She also revealed that Apple was “working with developers to make sure they’re using the proper version of Xcode to rebuild their apps.”

What should I do?

Apple is likely working on a fix to resolve any handset issues as we speak, so the best thing to do is wait for intervention.

It’s also probably worth uninstalling any apps that are included on this list, just to be safe.

It’s also worth changing your Apple passwords, and any passwords you’ve inputted on your device. We’d recommend doing this on a different system to your iPhone, if possible.

We’d also suggest avoiding copying and pasting passwords, and being wary of any alerts or notifications that appear strange or spurious.

How can I protect myself from future attacks?

Until now, the best ways to protect yourself from attacks on iOS was to (1) not jailbreak your phone, and (2) only download content from the official App Store.

However, the XcodeGhost breach routed its way into iPhones through Apple’s own store.

Regardless, the above is still good advice, and we’d say that’s your best option.

Apple will likely be cracking down harder than ever on phony entries to the App Store as a result of this latest breach, so steering clear of jailbreaks is wise.

We have contacted Apple regarding the breach, and we’ll update this article with any response.

Have any questions we haven’t answered here? Let us know in the comments and we’ll do our best to get back to you.