Connect with us

Hi, what are you looking for?


Malware & Threats

XcodeGhost Compiler Malware Targets iOS, OS X Systems

Researchers have uncovered XcodeGhost, a new piece of malware designed to inject malicious code into iOS and OS X applications.

Researchers have uncovered XcodeGhost, a new piece of malware designed to inject malicious code into iOS and OS X applications.

XcodeGhost, which has mainly impacted China, was first analyzed by Chinese experts and later by researchers at network security company Palo Alto Networks. Malicious code has been unwittingly embedded into legitimate applications by developers using rogue versions of Xcode, Apple’s integrated development environment (IDE) for creating OS X and iOS software.

Malicious actors have been counting on the fact that many iOS and OS X developers in China download Xcode from third party websites because downloading the 3Gb installer from Apple’s servers can take a long time.

While the malicious Xcode packages can be used to infect both OS X and iOS apps, so far researcher have only spotted trojanized iOS applications. According to Palo Alto Networks, 39 malicious iOS apps made their way to the official App Store without being flagged by Apple’s security systems. Reuters reported over the weekend that the Chinese security firm Qihoo360 had spotted more than 300 infected applications.

Apple said it had removed infected apps from the App Store, but it’s unclear exactly how many such pieces of software have been identified by the tech giant.

The list of trojanized programs includes some highly popular products installed by hundreds of millions of users, such as the voice and text messaging service WeChat. Tencent Holdings, the company behind WeChat, has assured customers that the latest version of the app is not affected.

Initially, the malicious applications were only observed uploading device and app information from infected iPhones and iPads to a command and control (C&C) server. However, a closer analysis revealed that the malware can also be remotely instructed to display phishing pages, read and write data in the clipboard, which is also useful for sensitive data theft, and hijack the opening of specific URLs, Palo Alto Networks said. One developer has already reported spotting iCloud phishing attempts conducted by the malware.

XcodeGhost alters applications developed with the rogue versions of Xcode through Core Services, a component used by many apps since it contains fundamental system services.

Advertisement. Scroll to continue reading.

“XcodeGhost implemented malicious code in its own CoreServices object file, and copies this file to a specific position that is one of Xcode’s default framework search paths. Hence, the code in the malicious CoreServices file will be added into any iOS app compiled with the infected Xcode without the developers’ knowledge,” Palo Alto Networks researchers explained in a blog post.

The network security company has pointed out that threat actors don’t necessarily need to trick developers into using their Xcode packages to distribute trojanized apps. They can also write OS X malware designed to drop a malicious object file into a directory of a legitimate Xcode installation.

Unlike other types of threats, compiler malware can also affect enterprises that are cautious about the applications installed on employee devices. That’s because in the case of compiler malware the malicious code can end up in internally developed iOS and OS X applications.

“It’s difficult for iOS users or developers to be aware of this malware (or similar attacks) because it is deeply hidden, bypassing App Store code review. Because of these characteristics, Apple developers should always use Xcode directly downloaded from Apple, and regularly check their installed Xcode’s code signing integrity to prevent Xcode from being modified by other OS X malware,” Palo Alto Networks recommends.

Related: Apple Updates “Sideloading” Process in iOS 9 to Boost App Security

Related: “KeyRaider” iOS Malware Targets Apple Accounts

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...