Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Large Number of iOS Apps Infected by XcodeGhost

Researchers continue to analyze XcodeGhost, a recently discovered threat that has been used by malicious actors to infect legitimate iOS applications.

Researchers continue to analyze XcodeGhost, a recently discovered threat that has been used by malicious actors to infect legitimate iOS applications.

Palo Alto Networks initially reported that 39 malicious iOS apps had been identified on the Apple App Store. Chinese security firm Qihoo360 later said it had spotted 344 infected apps, while Appthority’s mobile threat team reported finding 476 apps.

However, the actual number could be in the thousands. The jailbreak team Pangu discovered more than 3,400 apps, while FireEye reported uncovering over 4,000 infected pieces of software on the App Store. While the threat appears to mainly impact Chinese developers, some of the infected apps, such as WeChat, are used all across the world.

Apple has started removing the infected apps from the App Store, but Palo Alto Networks warned on Monday that some of them had still been available.

XcodeGhost is capable of injecting malicious code into legitimate iOS and OS X applications through a modified version of Apple’s Xcode development platform that has been distributed via third party websites such as Baidu. While the number of infections spiked only recently, experts say the rogue Xcode installers have been around since March.

Once infected, the applications allow attackers to collect information on the device and other apps, and open arbitrary URLs.

The command and control (C&C) servers used for controlling the malware and for storing the harvested data have been hosted on Amazon Web Services. Palo Alto Networks pointed out on Monday that XcodeGhost uses HTTP requests encrypted with the DES algorithm in ECB mode for communications with the C&C server. However, the encryption key can be easily obtained, which creates opportunities for man-in-the-middle (MitM) attackers.

“There’s a vulnerability in the infected iOS apps whereby the malicious code in them can be controlled by any man in the middle. By exploiting this vulnerability, an attacker can construct any URL in any scheme and control infected apps to open, or prompt an alert dialog for further attacks,” Palo Alto’s Claud Xiao explained in a blog post.

Advertisement. Scroll to continue reading.

Amazon has shut down the C&C servers and Apple has published an advisory containing instructions on how developers can determine if the Xcode version they are using is legitimate or counterfeit. Baidu has also removed malicious Xcode installers from its file sharing service, but the anti-censorship organization GreatFire has warned that attackers could also distribute rogue Xcode installers via the popular Chinese download manager Xunlei.

Palo Alto Networks initially reported that XcodeGhost-infected apps could be used to display iCloud phishing prompts. After a closer analysis, experts determine that this is only possible if a few lines of code are changed. The samples spotted so far can only be used for phishing via a feature in the malware that allows the attackers to open arbitrary URLs on infected devices.

“The framework itself contains no code to display login prompts or alerts of any kind that could be used to phish credentials (the alert has no field for text input). The only way to launch a phishing attack using this framework would be to send the response to open a URL pointing to a malicious website,” explained researchers at Appthority.

Appthority has also pointed out that the samples identified so far behave more like adware or tracking frameworks rather than actual malware.

While some experts have noted that XcodeGhost poses a serious threat to organizations, particularly if the modified Xcode versions are used to develop internal applications, Appthority believes that the actual impact to device and enterprise security is low. On the other hand, this incident demonstrates that it is possible to infect multiple popular apps in the App Store and bypass Apple’s review process, the security firm said.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.