Apple has confirmed that malicious code had made its way into the hundreds of apps that were being sold on the iOS App Store. This is the first large-scale attack on the App Store. There might have been as many as 350 affected apps, and some of them are very recognizable Chinese iOS offerings. The malicious program is being referred to as Xcode Ghost, and most of the victims are in China. Apple is known for its strict app review process, which prevents malicious apps from making it to the App Store. This is the first reported case where malicious code has made it past the app review process, and into a large number of apps.
The unknown attacker was able to insert malicious code into Apple’s legitimate Xcode, a free tool for app creation that developers used. The attacker posted the compromised version of Xcode onto a Chinese cloud service. The link was shared by developers on Chinese forums, and downloaded by app developers in China. The malicious software was hosted on the Chinese site Baidu. If the developers had gone directly to the iOS App Store and installed the free Xcode toolkit from there, they would not have been infected. The developers may have chosen to download the toolkit from a Chinese server instead of an American server because the download time would be shorter. Frustrated Chinese developers would have had to wait hours to download Xcode from the American iOS App Store.
Included in the infected apps is the WeChat messaging app, which has over 500 million active users – although researchers aren’t sure how many iOS users there are. Tencent, the owners of the WeChat network, could not find evidence that data was being leaked or stolen. Tencent says that the most updated version of their app was not affected by the malicious software. Didi Kuaidli, a car-hailing app similar to Uber, has also been affected by this software. A Spotify-like app from NetEase, and the country’s official train-booking website, have also been affected. Other infected apps belong to the state-run mobile carrier China Unicom.
It is suspected that the malicious code can compromise users’ credentials. Xcode Ghost can trigger fake alerts on iPhone, and prompt people to enter their iCloud passwords. Xcode Ghost also might be able to read a device’s clipboard, which hurts iPhone users who copy passwords from a password manager. According to Apple, the apps containing the malware have been removed from the App Store.
Earlier in September, 225,000 iPhone users in China who had jailbroken their phones found that their data might have been stolen by hackers. Xcode Ghost can affect both jailbroken and “stock” Apple devices. Xcode Ghost shows companies that they need to worry about what their employees are downloading onto their devices – whether they are company devices, or employee devices part of a BYOD program. Companies should regularly educate their employees about the importance of only downloading software from a trusted source. Employees should also know that if they download malware onto their company device, the company’s whole network could be negatively affected.
Promisec Endpoint Manager (PEM) helps companies monitor their networks for malicious software. The PEM endpoint software offers cyber threat detection and malware protection to companies. With PEM, companies hold their devices to corporate security standards. If devices stray from corporate security standards, PEM can immediately indicate when systems are no longer compliant, and remediate the problem before networks are compromised. PEM’s agentless solutions allow security and technology professionals to correct problems remotely and automatically, using either out-of-box rollback operations or customized scripts in a variety of languages. With PEM, CISOs won’t have to worry about their employees compromising corporate security standards.