Protect Against XcodeGhost

Recently, Chinese iOS developers have discovered a new OS X and iOS malware dubbed XcodeGhost that has appeared in malicious versions of Xcode, Apple’s official toolkit for developing iOS and OS X apps.

This hack invloves infecting the compiler with malware; then passing that malware onto the compiled software. This is a unique approach because the hack does not attempt to inject attack code into a single app then try to sneak past Apple’s automated and human reviews.

The primary behavior of XcodeGhost in infected iOS apps is to collect information on devices and upload that data to command and control (C2) servers. Once the malware has established a foothold on infected devices, it has the ability to phish user credentials via fake warning boxes, open specific URLs in a device’s web browser, and even scrape the clipboard.

Since XCode is one of the main tools used to produce Apple software for both Apple Mac computers and iPhones, this could potentially impact millions of users. PaloAlto Networks identified nearly 50 infected applications on the iOS (iPhone) platform alone, which was then increased exponentially with the discovery of more than 4,000 infected apps by FireEye researchers.

The popular instant messaging app WeChat, Chinese Uber-like cab service Didi Kuaidi, photo editorPerfect365, music streaming service NetEase, and card scanning tool CamCard, were found to be infected by the malicious Xcode.

The infected apps can perform the following:

  • Prompt a fake alert dialog box to steal user credentials (username and password).
  • Trick user to open specific URLs that could allow for exploitation of bugs in the iOS system or other iOS apps.
  • Read and write data to the user’s clipboard – to read the user’s password if that password is copied from a password management tool.

Apple managed to remove some infected apps some are still out there. So please be careful