As more eyes peer into XcodeGhost, the malware that managed to sneak into Apple’s App Store, more trouble bubbles to the surface.
Researchers at Palo Alto Networks said in an updated report that the malware contains a vulnerability that allows an attacker in man-in-the-middle position to control iOS applications infected by XcodeGhost.
“XcodeGhost used HTTP to upload information and receive [command and control] commands. The content in these HTTP requests and responses were encrypted by DES algorithm in ECB mode. It’s also not hard to find the encryption key in its code by reverse engineering,” wrote researcher Claud Xiao. “Consider that HTTP traffic can be hijacked or faked in many ways. … By exploiting this vulnerability, an attacker can construct any URL in any scheme and control infected apps to open, or prompt an alert dialog for further attacks.”
Over the weekend, Palo Alto reported that 39 iOS apps infected with XcodeGhost had been removed from the App Store and that Amazon had shut down the malware’s three command and control servers being hosted on Amazon EC2 instances. The man-in-the-middle vulnerability, however, still puts devices running the infected apps at risk for exploit.
Since the initial reports, possibly thousands more iOS apps have been identified as infected; iOS hackers Pangu Team said it found more than 3,400, while Appthority found 476 apps and Qihoo 360 listed another 350. This confirms Palo Alto’s initial fears that since the malware was showing compile dates from March, which is the same time frame around when the command and control servers appeared, that many more applications were in the crosshairs of XcodeGhost.
Palo Alto, meanwhile, said that its initial report that some of the infected apps were phishing users for their iCloud credentials was incorrect, but that functionality could be added with a slight modification.
“In iOS, if an app prompts a dialog by the UIAlertView class, there’s a property alertViewStyle to specify which kind of dialog it wants to show. For example, if a password input dialog is needed, the property should be assigned to UIAlertViewStyleLoginAndPasswordInput. If the iOS developer didn’t specify any value, by default the dialog will have no input form but is just an alert with message and buttons,” Xiao said. “We checked all versions of malicious files in XcodeGhost we have available, and didn’t find any one of them specified this property when prompting the alert dialog.”
Attacking the App Store is a difficult proposition given Apple’s stringent vetting of developers and security scans of apps before they’re accepted into the App Store. Using the Xcode compiler as a means of sneaking infected apps into the Apple market is an idea that’s been explored before. NSA documents disclosed by whistleblower Edward Snowden and reported by The Intercept show that researchers from Sandia National Labs did a presentation at a technical conference three years ago explaining how to attack OS X and iOS software through software development kits.
The presentation explicitly recommends using modified versions of Xcode to open a backdoor on OS X applications, export a developer’s private key without raising an alert and disable ASLR among other functionality.
The modified versions of Xcode showed up in March shortly after The Intercept’s report, Xiao said. Search engine results on China’s most popular search engine Baidu were poisoned and the modified Xcode containing XcodeGhost was a top result. Developers in China, because of Internet restrictions in the country, are much more likely to quickly download Xcode from a third party than directly from Apple.
Apple has communicated to its developers that they should recompile their apps with a legitimate version of Xcode, and resubmit affected applications.