Researchers have uncovered XcodeGhost, a new piece of malware designed to inject malicious code into iOS and OS X applications.
XcodeGhost, which has mainly impacted China, was first analyzed by Chinese experts and later by researchers at network security company Palo Alto Networks. Malicious code has been unwittingly embedded into legitimate applications by developers using rogue versions of Xcode, Apple’s integrated development environment (IDE) for creating OS X and iOS software.
Malicious actors have been counting on the fact that many iOS and OS X developers in China download Xcode from third party websites because downloading the 3Gb installer from Apple’s servers can take a long time.
While the malicious Xcode packages can be used to infect both OS X and iOS apps, so far researcher have only spotted trojanized iOS applications. According to Palo Alto Networks, 39 malicious iOS apps made their way to the official App Store without being flagged by Apple’s security systems. Reuters reported over the weekend that the Chinese security firm Qihoo360 had spotted more than 300 infected applications.
Apple said it had removed infected apps from the App Store, but it’s unclear exactly how many such pieces of software have been identified by the tech giant.
The list of trojanized programs includes some highly popular products installed by hundreds of millions of users, such as the voice and text messaging service WeChat. Tencent Holdings, the company behind WeChat, has assured customers that the latest version of the app is not affected.
Initially, the malicious applications were only observed uploading device and app information from infected iPhones and iPads to a command and control (C&C) server. However, a closer analysis revealed that the malware can also be remotely instructed to display phishing pages, read and write data in the clipboard, which is also useful for sensitive data theft, and hijack the opening of specific URLs, Palo Alto Networks said. One developer has already reported spotting iCloud phishing attempts conducted by the malware.
XcodeGhost alters applications developed with the rogue versions of Xcode through Core Services, a component used by many apps since it contains fundamental system services.
“XcodeGhost implemented malicious code in its own CoreServices object file, and copies this file to a specific position that is one of Xcode’s default framework search paths. Hence, the code in the malicious CoreServices file will be added into any iOS app compiled with the infected Xcode without the developers’ knowledge,” Palo Alto Networks researchers explained in a blog post.
The network security company has pointed out that threat actors don’t necessarily need to trick developers into using their Xcode packages to distribute trojanized apps. They can also write OS X malware designed to drop a malicious object file into a directory of a legitimate Xcode installation.
Unlike other types of threats, compiler malware can also affect enterprises that are cautious about the applications installed on employee devices. That’s because in the case of compiler malware the malicious code can end up in internally developed iOS and OS X applications.
“It’s difficult for iOS users or developers to be aware of this malware (or similar attacks) because it is deeply hidden, bypassing App Store code review. Because of these characteristics, Apple developers should always use Xcode directly downloaded from Apple, and regularly check their installed Xcode’s code signing integrity to prevent Xcode from being modified by other OS X malware,” Palo Alto Networks recommends.