Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

XcodeGhost Compiler Malware Targets iOS, OS X Systems

Researchers have uncovered XcodeGhost, a new piece of malware designed to inject malicious code into iOS and OS X applications.

Researchers have uncovered XcodeGhost, a new piece of malware designed to inject malicious code into iOS and OS X applications.

XcodeGhost, which has mainly impacted China, was first analyzed by Chinese experts and later by researchers at network security company Palo Alto Networks. Malicious code has been unwittingly embedded into legitimate applications by developers using rogue versions of Xcode, Apple’s integrated development environment (IDE) for creating OS X and iOS software.

Malicious actors have been counting on the fact that many iOS and OS X developers in China download Xcode from third party websites because downloading the 3Gb installer from Apple’s servers can take a long time.

While the malicious Xcode packages can be used to infect both OS X and iOS apps, so far researcher have only spotted trojanized iOS applications. According to Palo Alto Networks, 39 malicious iOS apps made their way to the official App Store without being flagged by Apple’s security systems. Reuters reported over the weekend that the Chinese security firm Qihoo360 had spotted more than 300 infected applications.

Apple said it had removed infected apps from the App Store, but it’s unclear exactly how many such pieces of software have been identified by the tech giant.

The list of trojanized programs includes some highly popular products installed by hundreds of millions of users, such as the voice and text messaging service WeChat. Tencent Holdings, the company behind WeChat, has assured customers that the latest version of the app is not affected.

Initially, the malicious applications were only observed uploading device and app information from infected iPhones and iPads to a command and control (C&C) server. However, a closer analysis revealed that the malware can also be remotely instructed to display phishing pages, read and write data in the clipboard, which is also useful for sensitive data theft, and hijack the opening of specific URLs, Palo Alto Networks said. One developer has already reported spotting iCloud phishing attempts conducted by the malware.

XcodeGhost alters applications developed with the rogue versions of Xcode through Core Services, a component used by many apps since it contains fundamental system services.

Advertisement. Scroll to continue reading.

“XcodeGhost implemented malicious code in its own CoreServices object file, and copies this file to a specific position that is one of Xcode’s default framework search paths. Hence, the code in the malicious CoreServices file will be added into any iOS app compiled with the infected Xcode without the developers’ knowledge,” Palo Alto Networks researchers explained in a blog post.

The network security company has pointed out that threat actors don’t necessarily need to trick developers into using their Xcode packages to distribute trojanized apps. They can also write OS X malware designed to drop a malicious object file into a directory of a legitimate Xcode installation.

Unlike other types of threats, compiler malware can also affect enterprises that are cautious about the applications installed on employee devices. That’s because in the case of compiler malware the malicious code can end up in internally developed iOS and OS X applications.

“It’s difficult for iOS users or developers to be aware of this malware (or similar attacks) because it is deeply hidden, bypassing App Store code review. Because of these characteristics, Apple developers should always use Xcode directly downloaded from Apple, and regularly check their installed Xcode’s code signing integrity to prevent Xcode from being modified by other OS X malware,” Palo Alto Networks recommends.

Related: Apple Updates “Sideloading” Process in iOS 9 to Boost App Security

Related: “KeyRaider” iOS Malware Targets Apple Accounts

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.