XcodeGhost malware sneaks into Apple’s App store, infects popular apps such as WeChat and others

A malicious program dubbed XcodeGhost has hit apps in Apple’s App Store, including well known applications including the popular messaging platform WeChat.

Apple confirmed news of the malware Sunday and stated that it was removing malicious iPhone and iPad programs identified in what Reuters refers to as the “first large-scale attack on the popular mobile software outlet.”

Security firm Paloalto Networks, Inc. first identified the infected apps, and said that as of their last update that some 39 apps have been infected, including the aforementioned WeChat, along with Chinese taxi hailing app Didi Chuxing, popular Chinese train ticket purchasing app Railway 12306, and others including popular stock trading apps all targeting a Chinese audience.

Separate reports from Qihoo360 Technology Co. put the figure of infected apps at near 400, and one from Dutch security firm Fox-It nominates a different list of infected apps that include apps popular in the West including WinZip, PDFReader and others.

It would appear at least one copy of Apple’s Xcode platform used to design apps had been modified, meaning that the malware code was automatically injected into new apps; what isn’t clear is to whether the modified version of Xcode was downloaded directly from Apple, or was instead shared among developers themselves. Some suggestions indicate it could have been the latter, given the slow download speeds offered by Apple to developers wishing to obtain Xcode are in China.

What it does

XcodeGhost is malicious code that is located in a Mach-O object file that was repackaged into some versions of Xcode installers.

According to a separate explanation from Paloalto Networks, XcodeGhost collects information on the devices running infected apps and uploads that data to command and control (C2) servers; the collected information is said to include:

  • Current time
  • Current infected app’s name
  • The app’s bundle identifier
  • Current device’s name and type
  • Current system’s language and country
  • Current device’s UUID
  • Network type

Among other features, it is able to use this information to gain access to an infected user’s’ iCloud account, and also can be remotely controlled by the attacker to phish or exploit local system or app vulnerabilities.

“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple spokeswoman Christine Monaghan said in a statement.

If you’re not in China it is unlikely you have been infected, but if in doubt make sure your apps are up-to-date, particularly if you use WeChat.

Image credit: 132889348@N07/Flickr/CC by 2.0

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.