Apple Battles App Store Malware OutbreakHundreds of Apps Compromised Via Malicious Version of Apple's Xcode Development Software
Apple is moving to contain an outbreak of malware-infected apps that may have been downloaded by hundreds of millions of iOS App Store users.
See Also: Splunk Predictions 2020
Apple on Sept. 20 confirmed that it had deleted malicious iPhone, iPad and iPod Touch software after multiple information security firms warned that "XcodeGhost" malware had been found embedded in otherwise legitimate apps, many of which were aimed at Chinese-language speakers.
Chinese Internet security firm Qihoo360 Technology says in a blog post that it detected 344 XcodeGhost-infected apps being distributed via the official Apple App Store. Prior to the attack, cybersecurity firm Palo Alto Networks reports, only five malicious apps had ever been discovered in the app store.
The name XcodeGhost was first coined by researchers at Alibaba Mobile Security, a mobile anti-virus division of China-based Alibaba Group Holding. Its researchers were the first to document the malware on Sept. 16, via social media.
The malicious apps, Palo Alto Networks says, included Tencent's WeChat app, which has an estimated 600 million users, although not all of them would be using the iOS client. Other infected Chinese-language apps included China's most popular car-hailing app, Didi Kuaidi; a streaming-music app from Internet portal NetEase; the Railway 12306 app, which is the country's only official app for purchasing train tickets; and a mobile banking app from China CITIC Bank.
But not all of the infected apps were limited to China. For example, WeChat is widely used across the Asia-Pacific region, while business card scanning program CamCard - which is developed by a Chinese company - is the most-downloaded business card reader and scanner in many countries, including the United States.
Apple has now excised the malicious apps from its App Store. "We've removed the apps from the App Store that we know have been created with this counterfeit software," Apple spokeswoman Christine Monaghan tells Reuters. "We are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps."
Multiple development firms, including Tencent, NetEase and Jianshu, have issued statements about their affected products and detailed how customers can ensure they are running an XcodeGhost-free version of their apps. Tencent has confirmed that the 6.2.5 version of WeChat is infected, and urged customers to upgrade to 6.2.6 to mitigate the flaw, although it says that it preliminary investigation found no evidence that the malware stole users' private information or resulted in data leakage. NetEase, meanwhile, says that a newly released version of its music player eliminates the malware.
Malicious Development Tools
Security experts say attackers snuck the malicious apps onto Apple's App Store by distributing a malicious version of Apple's official Xcode development tool, which is used for developing iOS and Mac OS X apps.
Downloading the software from Apple's official Mac App Store, however, can be a slow process for China-based developers. "In China - and in other places around the world - sometimes network speeds are very slow when downloading large files from Apple's servers," Palo Alto Networks senior security researcher Claud Xiao says in a blog post. "As the standard Xcode installer is nearly 3GB, some Chinese developers choose to download the package from other sources or get copies from colleagues."
One of those sources, however, turned out to be a malicious version of Xcode - hosted on the Baidu Pan cloud service - that was advertised as being a faster way to download the development tools. Xiao adds that searching for Xcode via Google's Chinese site results in a link to the malicious version of Xcode appearing on the first page of search results, and notes that download links to the malicious version of Xcode were also posted to numerous forums and websites frequented by Chinese iOS developers, beginning in March.
"When the developers installed what they thought was a safe Apple dev tool, they actually got a tampered version that would compile the malicious code alongside their actual app's code," Aaron Cockerill, vice president of products at mobile security firm Lookout, says in a blog post. "These developers, unaware that their apps had been tampered with, then submitted those apps to the App Store for distribution to iOS devices."
Baidu spokesman Kaiser Kuo tells Information Security Media Group that the Chinese search giant "scrubbed the malicious Xcode immediately on learning of its existence, and looked carefully for any other possible copies that users might have uploaded."
Apple claims to vet all software - including updates to existing apps - before making it available via its App Store. But this attack somehow bypassed or escaped those controls.
Security consultant and SANS Institute Internet Storm Center handler Xavier Mertens says that based on the source code for XcodeGhost - which has been uploaded to code-sharing site GitHub - the malware is designed to gather the name of the application, the app and OS version, language settings, user's country, developer information, the type of installation, as well as the device name and type, and send it to a command-and-control server that resolved to various Web spaces being hosted via both Amazon Web Services as well as domain registrar GoDaddy. But the command-and-control infrastructure is no longer active, he adds.
How to Mitigate Threat
One lesson from the malicious App Store attack is that organizations must ensure that their developers are only using approved tools, warns Dublin-based information security consultant Brian Honan, who is also a cybersecurity adviser to Europol. "Companies doing Apple App development need to ensure their staff are using secure resources," he says via Twitter.
In the case of this outbreak of XcodeGhost, Mertens notes that IT managers can identify whether employees were using infected apps by reviewing their firewall or proxy logs for the presence of HTTP traffic to "http://init.icloud-analysis.com." He also recommends changing the passwords for any software that is known to have been infected.
Mertens says the attack is a reminder that developers should only ever download development tools - such as Xcode - from their official locations, as well as double-check the MD5 or SHA1 hash used to sign the software, to ensure that they have obtained a legitimate version.