Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

XcodeGhost Compiler Malware Targets iOS, OS X Systems

Researchers have uncovered XcodeGhost, a new piece of malware designed to inject malicious code into iOS and OS X applications.

Researchers have uncovered XcodeGhost, a new piece of malware designed to inject malicious code into iOS and OS X applications.

XcodeGhost, which has mainly impacted China, was first analyzed by Chinese experts and later by researchers at network security company Palo Alto Networks. Malicious code has been unwittingly embedded into legitimate applications by developers using rogue versions of Xcode, Apple’s integrated development environment (IDE) for creating OS X and iOS software.

Malicious actors have been counting on the fact that many iOS and OS X developers in China download Xcode from third party websites because downloading the 3Gb installer from Apple’s servers can take a long time.

While the malicious Xcode packages can be used to infect both OS X and iOS apps, so far researcher have only spotted trojanized iOS applications. According to Palo Alto Networks, 39 malicious iOS apps made their way to the official App Store without being flagged by Apple’s security systems. Reuters reported over the weekend that the Chinese security firm Qihoo360 had spotted more than 300 infected applications.

Apple said it had removed infected apps from the App Store, but it’s unclear exactly how many such pieces of software have been identified by the tech giant.

The list of trojanized programs includes some highly popular products installed by hundreds of millions of users, such as the voice and text messaging service WeChat. Tencent Holdings, the company behind WeChat, has assured customers that the latest version of the app is not affected.

Initially, the malicious applications were only observed uploading device and app information from infected iPhones and iPads to a command and control (C&C) server. However, a closer analysis revealed that the malware can also be remotely instructed to display phishing pages, read and write data in the clipboard, which is also useful for sensitive data theft, and hijack the opening of specific URLs, Palo Alto Networks said. One developer has already reported spotting iCloud phishing attempts conducted by the malware.

XcodeGhost alters applications developed with the rogue versions of Xcode through Core Services, a component used by many apps since it contains fundamental system services.

“XcodeGhost implemented malicious code in its own CoreServices object file, and copies this file to a specific position that is one of Xcode’s default framework search paths. Hence, the code in the malicious CoreServices file will be added into any iOS app compiled with the infected Xcode without the developers’ knowledge,” Palo Alto Networks researchers explained in a blog post.

The network security company has pointed out that threat actors don’t necessarily need to trick developers into using their Xcode packages to distribute trojanized apps. They can also write OS X malware designed to drop a malicious object file into a directory of a legitimate Xcode installation.

Unlike other types of threats, compiler malware can also affect enterprises that are cautious about the applications installed on employee devices. That’s because in the case of compiler malware the malicious code can end up in internally developed iOS and OS X applications.

“It’s difficult for iOS users or developers to be aware of this malware (or similar attacks) because it is deeply hidden, bypassing App Store code review. Because of these characteristics, Apple developers should always use Xcode directly downloaded from Apple, and regularly check their installed Xcode’s code signing integrity to prevent Xcode from being modified by other OS X malware,” Palo Alto Networks recommends.

Related: Apple Updates “Sideloading” Process in iOS 9 to Boost App Security

Related: “KeyRaider” iOS Malware Targets Apple Accounts

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.