September 21, 2015
By Max Buondonno
Yesterday, the iOS App Store experienced a huge security breach: earlier this week, Chinese developers created a new piece of malware called XcodeGhost, an infected version of Apple's official tool to create iOS and OS X apps, Xcode, and distributed it by uploading the files to Chinese cloud file sharing service Baidu, then disclosed on the microblogging site known as Sina Weibo (click at your own risk).
Since then, unknowingly, Chinese app developers began to compile iOS applications in the hacked Xcode IDE. The applications passed Apple's code review process, and were then later distributed via the App Store to each iOS device with operating systems supporting the apps, allowing users to either download or update the new infected versions of the apps.
Every iPhone, iPad, and iPod with a compatible OS to run the infected apps, jailbroken or not, has been affected by this breach.
Below is a full list of the 95 apps affected by this issue as reported by Palo Alto Networks and Fox-It (fox-it.com):
Every iPhone, iPad, and iPod with a compatible OS to run the infected apps, jailbroken or not, has been affected by this breach.
Below is a full list of the 95 apps affected by this issue as reported by Palo Alto Networks and Fox-It (fox-it.com):
|
|
More than 500 million iOS users have been affected due to WeChat being very popular amongst users in China and the Asia-Pacific region.
iOS apps infected with XcodeGhost malware can and do collect information about devices and then encrypt and upload that data to command and control (C2) servers run by attackers through the HTTP protocol, causing millions of iOS devices to become at risk for attack. The system and app information that can be collected includes:
Palo Alto Networks also discovered that infected iOS apps can receive commands from the attacker through the C2 server to perform the following actions:
iOS apps infected with XcodeGhost malware can and do collect information about devices and then encrypt and upload that data to command and control (C2) servers run by attackers through the HTTP protocol, causing millions of iOS devices to become at risk for attack. The system and app information that can be collected includes:
- Current time
- Current infected app’s name
- The app’s bundle identifier
- Current device’s name and type
- Current system’s language and country
- Current device’s UUID
- Network type
Palo Alto Networks also discovered that infected iOS apps can receive commands from the attacker through the C2 server to perform the following actions:
- Prompt a fake alert dialog to phish user credentials;
- Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps;
- Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.
Palo Alto Networks claims that it is cooperating with Apple on the issue, while multiple developers have updated their apps to remove the malware.
Apple has since issued the following statement to Reuters:
Apple has since issued the following statement to Reuters:
We’ve removed the apps from the App Store that we know have been created with this counterfeit software. We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.
If you want to protect yourself against this malware or if you have one of the apps featured on the list above, either update those apps via the App Store to a version where the malware has been removed or simply uninstall those apps. Resetting your iCloud password or any other password inputted into your iOS device is also strongly recommended simply as a precautionary measure.
Update: Palo Alto Networks has released a new updated list of the apps affected by this security breach which includes Angry Birds 2:
Update: Palo Alto Networks has released a new updated list of the apps affected by this security breach which includes Angry Birds 2:
- Angry Birds 2
- CamCard
- CamScanner
- Card Safe
- China Unicom Mobile Office
- CITIC Bank move card space
- Didi Chuxing developed by Uber’s biggest rival in China Didi Kuaidi
- Eyes Wide
- Flush
- Freedom Battle
- High German map
- Himalayan
- Hot stock market
- I called MT
- I called MT 2
- IFlyTek input
- Jane book
- Lazy weekend
- Lifesmart
- Mara Mara
- Marital bed
- Medicine to force
- Micro Channel
- Microblogging camera
- NetEase
- OPlayer
- Pocket billing
- Poor tour
- Quick asked the doctor
- Railway 12306 the only official app used for buying train tickets in China
- SegmentFault
- Stocks open class
- Telephone attribution assistant
- The driver drops
- The Kitchen
- Three new board
- Watercress reading
Stay with MBEDDED for all the latest news in Apple by following us on Twitter, Google+, and by subscribing to our newsletter, located on our Home page.