Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

XcodeGhost Compiler Malware Targets iOS, OS X Systems

Researchers have uncovered XcodeGhost, a new piece of malware designed to inject malicious code into iOS and OS X applications.

Researchers have uncovered XcodeGhost, a new piece of malware designed to inject malicious code into iOS and OS X applications.

XcodeGhost, which has mainly impacted China, was first analyzed by Chinese experts and later by researchers at network security company Palo Alto Networks. Malicious code has been unwittingly embedded into legitimate applications by developers using rogue versions of Xcode, Apple’s integrated development environment (IDE) for creating OS X and iOS software.

Malicious actors have been counting on the fact that many iOS and OS X developers in China download Xcode from third party websites because downloading the 3Gb installer from Apple’s servers can take a long time.

While the malicious Xcode packages can be used to infect both OS X and iOS apps, so far researcher have only spotted trojanized iOS applications. According to Palo Alto Networks, 39 malicious iOS apps made their way to the official App Store without being flagged by Apple’s security systems. Reuters reported over the weekend that the Chinese security firm Qihoo360 had spotted more than 300 infected applications.

Apple said it had removed infected apps from the App Store, but it’s unclear exactly how many such pieces of software have been identified by the tech giant.

The list of trojanized programs includes some highly popular products installed by hundreds of millions of users, such as the voice and text messaging service WeChat. Tencent Holdings, the company behind WeChat, has assured customers that the latest version of the app is not affected.

Advertisement. Scroll to continue reading.

Initially, the malicious applications were only observed uploading device and app information from infected iPhones and iPads to a command and control (C&C) server. However, a closer analysis revealed that the malware can also be remotely instructed to display phishing pages, read and write data in the clipboard, which is also useful for sensitive data theft, and hijack the opening of specific URLs, Palo Alto Networks said. One developer has already reported spotting iCloud phishing attempts conducted by the malware.

XcodeGhost alters applications developed with the rogue versions of Xcode through Core Services, a component used by many apps since it contains fundamental system services.

“XcodeGhost implemented malicious code in its own CoreServices object file, and copies this file to a specific position that is one of Xcode’s default framework search paths. Hence, the code in the malicious CoreServices file will be added into any iOS app compiled with the infected Xcode without the developers’ knowledge,” Palo Alto Networks researchers explained in a blog post.

The network security company has pointed out that threat actors don’t necessarily need to trick developers into using their Xcode packages to distribute trojanized apps. They can also write OS X malware designed to drop a malicious object file into a directory of a legitimate Xcode installation.

Unlike other types of threats, compiler malware can also affect enterprises that are cautious about the applications installed on employee devices. That’s because in the case of compiler malware the malicious code can end up in internally developed iOS and OS X applications.

“It’s difficult for iOS users or developers to be aware of this malware (or similar attacks) because it is deeply hidden, bypassing App Store code review. Because of these characteristics, Apple developers should always use Xcode directly downloaded from Apple, and regularly check their installed Xcode’s code signing integrity to prevent Xcode from being modified by other OS X malware,” Palo Alto Networks recommends.

Related: Apple Updates “Sideloading” Process in iOS 9 to Boost App Security

Related: “KeyRaider” iOS Malware Targets Apple Accounts

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.