Updated XcodeGhost Adds iOS9 Support

A new version of XcodeGhost has added new obfuscation techniques, and support for iOS9. Infections have also reached out beyond China.

New samples of XcodeGhost, malware targeting iOS devices, have surfaced beyond the borders of China with new support for iOS9 and obfuscation techniques making it that much harder to detect.

iOS9 is only a few weeks old and included new security measures that allowed for only secure HTTPS connections by default, cutting off lines of communication for earlier versions of the malware that operated only over HTTP.

This version of XcodeGhost, researchers at FireEye said, takes advantage of an exception afforded developers to use unencrypted connections. The malware scans for the exception, and connects to its control infrastructure.

FireEye reported its findings to Apple, and all of the XcodeGhost samples that have been detected have been removed from the App Store.

XcodeGhost first surfaced in late September when researchers at Palo Alto Networks looked into reports of the malware bandied about on Chinese forums. Hackers in China were hosting infected versions of Xcode, Apple’s free iOS development environment. Developers using the hacked versions of Xcode were inadvertently infecting apps that were finding their way past Apple’s malware scanners and onto the App Store.

The updated version of XcodeGhost, FireEye said, was planted in different versions of Xcode, including Xcode 7, which was released for iOS9.

Some popular apps, including WeChat, were infected and ultimately removed from the App Store; the apps were recompiled with updated versions of Xcode once Apple addressed the issue.

At first, it was believed that once XcodeGhost infects a device, that it was just communicating system information to one of three command and control servers. A closer look at traffic revealed that the command servers were returning encrypted JSON formatted data that displays an alert to the user seeking credentials, or opens a hacker-controlled URL that could be used to exploit other flaws on the device or other apps running on the phone, Palo Alto said.

FireEye said it detected one Chinese travel app, “自由邦” (version 2.6.6 updated on Sept. 15) that was infected and has been taken down from the App Store in China and the U.S.

Raymond Wei, senior director of security engineering at FireEye, said the iOS9 version of XcodeGhost also includes a new obfuscation library to help the malware evade detection.

“Previous versions had a standard string in the library and scanning for the static string can allow you to identify all the infected samples,” Wei said. “We found another one that assembles the string in runtime. It breaks up the string into one character at a time and assembles the URL domain at runtime. If you run a static analysis, you won’t find the malicious domain.”
Wei said this type of obfuscation is a popular technique among malware writers, but it’s the first time it’s been used with XcodeGhost.

Since the initial XcodeGhost infections, FireEye said it has detected 210 infections inside enterprise networks, and more than 28,000 attempts to connect to the command and control infrastructure. Most of the infections among FireEye’s customer sample are in Germany (62 percent) and the United States (33 percent), largely affecting education and high tech markets.

“This is not limited to China,” Wei said. “Many of the apps were distributed around the world, not just to the Chinese App Store. It’s reasonable to assume these apps are used by people familiar with Chinese culture, but they are distributed to users around the world.”

Suggested articles