It looks like iOS wants to compete with Android in all aspects, including security flaws, as just a few days ago one of the most serious security breaches in the history of Apple’s mobile OS was discovered.
The company purged hundreds of apps from the App Store, that were found to include a malicious program called XcodeGhost. The program ended up in legitimate apps as Chinese developers used a counterfeit version of Apple’s Xcode software hosted on the Baidu file sharing service. Those who used XcodeGhost to compile their apps, unknowingly let the malware be distributed through the App Store. Since then, Baidu has removed all of the files.
You might ask why did these developers chose to download the Xcode package from third-party sources instead of Apple’s servers. Because in China (and not only), network speeds can be very slow when downloading large files from Apple’s servers. The package being about 3GB, some Chinese developers simply made copies from colleagues or tried to get it alternative sources. According to Palo Alto Networks, localized Google search results for the Xcode installer point towards various forums and websites frequently visited by Chinese iOS developers, all linking to the Baidu-hosted infected files.
The Cupertino-based tech company didn’t specify exactly how many infected apps managed to get past its review process. Qihoo 360 Technology, a Chinese security firm states they have discovered 344 apps that are affected by XcodeGhost.
Apple already removed the infected apps from the store, but those who have them installed still have to manually delete them from their devices. Also, they are already working with developers to ensure they’re now using the legitimate version of Xcode to rebuild their apps, according to Apple spokeswoman Christine Monaghan.
Who is affected?
As the apps come from Chinese developers, most affected users are from China, but some of the titles are available in the U.S. and other parts of the world as well. WeChat is one of the most popular affected apps, although Tencent, the developing company, has already updated it to version 6.2.6 which removed the malicious code (older versions may still be infected).
Palo Alto Networks, Qihoo 360 and some iOS developers among others have analyzed popular App Store apps by code analysis to find a number of infected apps – some popular in China, and others also widely used in other countries.
Among these apps there are banking apps, IMs, apps from mobile carriers, maps, stock trading apps and games. Besides WeChat, other popular apps affected by the Xcode exploit include Didi Chuxing – China’s most popular Uber-like app, Railway 12306 – the official app for buing train tickets in China and Tonghuashun a well-known stock trading app.
Some of the affected apps are not China-exclusive such as CamCard – one of the most popular business card reader and scanner in many parts of the world, including the US.
What risks are there?
According to the Palo Alto Networks Research Center, the XcodeGhost infected iOS apps collect data on the devices, encrypt it and then upload it to command and control (C2) servers. As the code analysis revealed, the collected information includes the current time, app name, app bundle identifier, device name and type, system language and country, UUID and network type.
While it is an intrusion, the information XcodeGhost collects from devices is quite harmless (compared to types of data which are far more sensitive), this being one of the main reasons for which it was able to pass the App Store code review.
How can you protect yourself?
The first step would be to uninstall the affected apps and for those that have received a security update, installed the patched and malware-free version. CultOfMac published a list of some of the most popular affected apps (you can see all of them here). Remove the ones you have installed on your device and do not reinstall them unless an update version is available from the developer.
Also, Palo Alto Networks recommends you also enable two-step verification for your Apple ID and steer clear of untrusted WiFi networks. Pangu Team created an app that can detect if any of their installed apps are infected – you can get it by visiting x.pangu.io in your iPhone or iPad.
With that said, there may be more infected apps in the App Store since the trojaned Xcode packages have been available online since March. Dare I say, it’s likely most infected apps are from Chinese developers and with no intention to stigmatize them, you should research any such apps you may have installed on your device even if they’re not on any official list of Xcode infected apps and do the same if you want to install new ones.
Did you find any Xcode infected apps on your device? What do you think about this iOS security risk? Share your thoughts with us in the comments section or give us a shout on Facebook, Twitter or Google+.