Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Large Number of iOS Apps Infected by XcodeGhost

Researchers continue to analyze XcodeGhost, a recently discovered threat that has been used by malicious actors to infect legitimate iOS applications.

Researchers continue to analyze XcodeGhost, a recently discovered threat that has been used by malicious actors to infect legitimate iOS applications.

Palo Alto Networks initially reported that 39 malicious iOS apps had been identified on the Apple App Store. Chinese security firm Qihoo360 later said it had spotted 344 infected apps, while Appthority’s mobile threat team reported finding 476 apps.

However, the actual number could be in the thousands. The jailbreak team Pangu discovered more than 3,400 apps, while FireEye reported uncovering over 4,000 infected pieces of software on the App Store. While the threat appears to mainly impact Chinese developers, some of the infected apps, such as WeChat, are used all across the world.

Apple has started removing the infected apps from the App Store, but Palo Alto Networks warned on Monday that some of them had still been available.

XcodeGhost is capable of injecting malicious code into legitimate iOS and OS X applications through a modified version of Apple’s Xcode development platform that has been distributed via third party websites such as Baidu. While the number of infections spiked only recently, experts say the rogue Xcode installers have been around since March.

Once infected, the applications allow attackers to collect information on the device and other apps, and open arbitrary URLs.

The command and control (C&C) servers used for controlling the malware and for storing the harvested data have been hosted on Amazon Web Services. Palo Alto Networks pointed out on Monday that XcodeGhost uses HTTP requests encrypted with the DES algorithm in ECB mode for communications with the C&C server. However, the encryption key can be easily obtained, which creates opportunities for man-in-the-middle (MitM) attackers.

“There’s a vulnerability in the infected iOS apps whereby the malicious code in them can be controlled by any man in the middle. By exploiting this vulnerability, an attacker can construct any URL in any scheme and control infected apps to open, or prompt an alert dialog for further attacks,” Palo Alto’s Claud Xiao explained in a blog post.

Amazon has shut down the C&C servers and Apple has published an advisory containing instructions on how developers can determine if the Xcode version they are using is legitimate or counterfeit. Baidu has also removed malicious Xcode installers from its file sharing service, but the anti-censorship organization GreatFire has warned that attackers could also distribute rogue Xcode installers via the popular Chinese download manager Xunlei.

Palo Alto Networks initially reported that XcodeGhost-infected apps could be used to display iCloud phishing prompts. After a closer analysis, experts determine that this is only possible if a few lines of code are changed. The samples spotted so far can only be used for phishing via a feature in the malware that allows the attackers to open arbitrary URLs on infected devices.

“The framework itself contains no code to display login prompts or alerts of any kind that could be used to phish credentials (the alert has no field for text input). The only way to launch a phishing attack using this framework would be to send the response to open a URL pointing to a malicious website,” explained researchers at Appthority.

Appthority has also pointed out that the samples identified so far behave more like adware or tracking frameworks rather than actual malware.

While some experts have noted that XcodeGhost poses a serious threat to organizations, particularly if the modified Xcode versions are used to develop internal applications, Appthority believes that the actual impact to device and enterprise security is low. On the other hand, this incident demonstrates that it is possible to infect multiple popular apps in the App Store and bypass Apple’s review process, the security firm said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.