Concern over the so-called XcodeGhost malware has put the security of Apple’s App Store on the front page. While the App Store was not hacked, attackers did manage to append malicious code to a number of popular apps—most of those developed in China—and find a loophole in Apple’s code-scanning to slip them into the App Store.
Worry elevated in the days since XcodeGhost was discovered, from what was thought to be a relatively contained threat to phishing attacks coveting iCloud credentials. Apple has removed 39 confirmed applications that contained XcodeGhost—including WeChat, a free messaging and calling app that Apple says is used by half a billion people worldwide on the iPhone and iPad—and the three command and control servers communicating with the infected applications, hosted on Amazon’s EC2, have been shut down.
That, however, doesn’t mean there aren’t more infected apps out there, and that more phishing campaigns and drive-by style attacks won’t be attempted. In the meantime, Apple has a tricky gap to fill in its App Store vetting and scanning in order to prevent attacks via similar avenues.
In this case, attackers hosted a malicious version of Apple’s Xcode development environment used to build iOS apps. Xcode is freely available, and someone in China hosted a version of Xcode that was modified with XcodeGhost. Researchers at Palo Alto Networks, following up on initial findings from researchers published on the Chinese blog Weibo, determined that this malicious Xcode package had been available for six months and had been downloaded and used to build numerous new and updated iOS apps that were pushed into the App Store. The malicious Xcode package was also a top search result on Chinese search engine Baidu, said Ryan Olson, director of threat intelligence at Palo Alto.
“At first, we didn’t think it was doing anything malicious, that it was just a test,” said Olson.
That changed, however, as the weekend progressed. Olson said that once XcodeGhost infects an Apple device, it performs a number of checks and communicates system information to one of the three command servers. At first, researchers thought that’s all that was happening, but a closer look at traffic revealed that the command servers were returning encrypted JSON formatted data that displays an alert to the user seeking credentials, or opens a hacker-controlled URL that could be used to exploit other flaws on the device or other apps running on the phone, Palo Alto said.
“There is the potential that there are lots of vulnerabilities that have not been tested that an attacker could take advantage of,” Olson said.
The SANS Institute, meanwhile, reported today that the author of XcodeGhost published the malware’s source code on GitHub, and recommended that enterprises check HTTP traffic logs for pings out to init[.]icloud-analysis[.]com or to any of the three command domains to determine if a user’s iPhone has been infected. Developers should also determine if the malicious CoreServices file Library/Frameworks/CoreServices.framework/CoreService exists in the Xcode SDK/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/, SANS said.
“It’s an interesting attack,” Olson said, adding that developers in China may choose to download Xcode from Baidu rather than Apple directly because of the size of the file and restrictions on imposed on the Internet in China. “They’re tricking people into downloading the malicious installer package. They might wait hours and hours to get the download from Apple, but from Baidu it’s quicker and it’s coming up high [in search results].”
A request to Apple for comment was not returned in time for publication. A spokesperson confirmed to Reuters that the known malicious apps were removed from the App Store and that Apple is working with developers to ensure they’re using the right version of Xcode.
Since an attack such as XcodeGhost targets developers, it may prompt others to try a similar attack vector, since Apple’s scanning may not be looking for modified libraries such as this.
“Modifications to Xcode are rare. I don’t see any reason someone would want to make changes to a base package like this,” Olson said. “You wouldn’t take an Apple DMG (disk image file) and add a file to it.”