Security Experts:

Large Number of iOS Apps Infected by XcodeGhost

Researchers continue to analyze XcodeGhost, a recently discovered threat that has been used by malicious actors to infect legitimate iOS applications.

Palo Alto Networks initially reported that 39 malicious iOS apps had been identified on the Apple App Store. Chinese security firm Qihoo360 later said it had spotted 344 infected apps, while Appthority’s mobile threat team reported finding 476 apps.

However, the actual number could be in the thousands. The jailbreak team Pangu discovered more than 3,400 apps, while FireEye reported uncovering over 4,000 infected pieces of software on the App Store. While the threat appears to mainly impact Chinese developers, some of the infected apps, such as WeChat, are used all across the world.

Apple has started removing the infected apps from the App Store, but Palo Alto Networks warned on Monday that some of them had still been available.

XcodeGhost is capable of injecting malicious code into legitimate iOS and OS X applications through a modified version of Apple’s Xcode development platform that has been distributed via third party websites such as Baidu. While the number of infections spiked only recently, experts say the rogue Xcode installers have been around since March.

Once infected, the applications allow attackers to collect information on the device and other apps, and open arbitrary URLs.

The command and control (C&C) servers used for controlling the malware and for storing the harvested data have been hosted on Amazon Web Services. Palo Alto Networks pointed out on Monday that XcodeGhost uses HTTP requests encrypted with the DES algorithm in ECB mode for communications with the C&C server. However, the encryption key can be easily obtained, which creates opportunities for man-in-the-middle (MitM) attackers.

“There’s a vulnerability in the infected iOS apps whereby the malicious code in them can be controlled by any man in the middle. By exploiting this vulnerability, an attacker can construct any URL in any scheme and control infected apps to open, or prompt an alert dialog for further attacks,” Palo Alto’s Claud Xiao explained in a blog post.

Amazon has shut down the C&C servers and Apple has published an advisory containing instructions on how developers can determine if the Xcode version they are using is legitimate or counterfeit. Baidu has also removed malicious Xcode installers from its file sharing service, but the anti-censorship organization GreatFire has warned that attackers could also distribute rogue Xcode installers via the popular Chinese download manager Xunlei.

Palo Alto Networks initially reported that XcodeGhost-infected apps could be used to display iCloud phishing prompts. After a closer analysis, experts determine that this is only possible if a few lines of code are changed. The samples spotted so far can only be used for phishing via a feature in the malware that allows the attackers to open arbitrary URLs on infected devices.

“The framework itself contains no code to display login prompts or alerts of any kind that could be used to phish credentials (the alert has no field for text input). The only way to launch a phishing attack using this framework would be to send the response to open a URL pointing to a malicious website,” explained researchers at Appthority.

Appthority has also pointed out that the samples identified so far behave more like adware or tracking frameworks rather than actual malware.

While some experts have noted that XcodeGhost poses a serious threat to organizations, particularly if the modified Xcode versions are used to develop internal applications, Appthority believes that the actual impact to device and enterprise security is low. On the other hand, this incident demonstrates that it is possible to infect multiple popular apps in the App Store and bypass Apple’s review process, the security firm said.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.