XcodeGhost Malware Stirring Up More Trouble

Researchers found a weakness in XcodeGhost that puts it at risk for man-in-the-middle attacks.

As more eyes peer into XcodeGhost, the malware that managed to sneak into Apple’s App Store, more trouble bubbles to the surface.

Researchers at Palo Alto Networks said in an updated report that the malware contains a vulnerability that allows an attacker in man-in-the-middle position to control iOS applications infected by XcodeGhost.

“XcodeGhost used HTTP to upload information and receive [command and control] commands. The content in these HTTP requests and responses were encrypted by DES algorithm in ECB mode. It’s also not hard to find the encryption key in its code by reverse engineering,” wrote researcher Claud Xiao. “Consider that HTTP traffic can be hijacked or faked in many ways. … By exploiting this vulnerability, an attacker can construct any URL in any scheme and control infected apps to open, or prompt an alert dialog for further attacks.”

Over the weekend, Palo Alto reported that 39 iOS apps infected with XcodeGhost had been removed from the App Store and that Amazon had shut down the malware’s three command and control servers being hosted on Amazon EC2 instances. The man-in-the-middle vulnerability, however, still puts devices running the infected apps at risk for exploit.

Since the initial reports, possibly thousands more iOS apps have been identified as infected; iOS hackers Pangu Team said it found more than 3,400, while Appthority found 476 apps and Qihoo 360 listed another 350. This confirms Palo Alto’s initial fears that since the malware was showing compile dates from March, which is the same time frame around when the command and control servers appeared, that many more applications were in the crosshairs of XcodeGhost.

Palo Alto, meanwhile, said that its initial report that some of the infected apps were phishing users for their iCloud credentials was incorrect, but that functionality could be added with a slight modification.

“In iOS, if an app prompts a dialog by the UIAlertView class, there’s a property alertViewStyle to specify which kind of dialog it wants to show. For example, if a password input dialog is needed, the property should be assigned to UIAlertViewStyleLoginAndPasswordInput. If the iOS developer didn’t specify any value, by default the dialog will have no input form but is just an alert with message and buttons,” Xiao said. “We checked all versions of malicious files in XcodeGhost we have available, and didn’t find any one of them specified this property when prompting the alert dialog.”

Attacking the App Store is a difficult proposition given Apple’s stringent vetting of developers and security scans of apps before they’re accepted into the App Store. Using the Xcode compiler as a means of sneaking infected apps into the Apple market is an idea that’s been explored before. NSA documents disclosed by whistleblower Edward Snowden and reported by The Intercept show that researchers from Sandia National Labs did a presentation at a technical conference three years ago explaining how to attack OS X and iOS software through software development kits.

The presentation explicitly recommends using modified versions of Xcode to open a backdoor on OS X applications, export a developer’s private key without raising an alert and disable ASLR among other functionality.

The modified versions of Xcode showed up in March shortly after The Intercept’s report, Xiao said. Search engine results on China’s most popular search engine Baidu were poisoned and the modified Xcode containing XcodeGhost was a top result. Developers in China, because of Internet restrictions in the country, are much more likely to quickly download Xcode from a third party than directly from Apple.

Apple has communicated to its developers that they should recompile their apps with a legitimate version of Xcode, and resubmit affected applications.

Suggested articles



    All these technical explanations are great for IT people.... but means nothing to the product users. Almost daily, consumers receive some 'important' or 'critical' update notifications for application(s) and/or operating system of their cellphones, desktops, laptops, etc. Rarely are these updates accompanied by any explanation (in layman's terms) of their reason/need. The consumer can only trust that the update is necessary and then proceeds to blindly install them. More often than not, following installation of the update, new problems/issues then manifest themselves within the devices and/or any of their previously installed software/applications. The only recourse then is to completely uninstall (if possible) the latest update, leaving the device vulnerable yet again. Further, when news of some new exploit breaks, the consumer may receive a patch, and may receive such in a timely manner. but almost always in absence of any explanation. Consumers need 'LayTech" sites. Sites that offer useful/usable/understandable information and explanation of identified exploits and 'fixes' received. We need sites that: -- Instruct us in how to identify whether our device has been infected by the latest exploit(s) -- Explain the reason for the updates, patches and 'fixes' we receive, -- Provide instruction for complete uninstall, should the update/patch/'fix' subsequently cause a problem/issue with, or a malfunction of, any previously installed software/app or with the device itself. Surely, as there are so many savvy technicians out there in cyberspace, a few of them could collaborate and devise such a site for consumers. Such a site would surely garner a million 'followers' and an equal number of 'likes'! Anyone up to the challenge?

      ::cricket-noise:: ::cricket-noise:: ::microphone-feedback:: ::tap-tap-tap:: Well, 'speaking' as a, questionably, 'savvy technician', I feel obliged to say at least this one thing to you....well played sir/madam...well played.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.