Last week it was discovered that new iOS malware called XcodeGhost was included in a number of apps in the App Store. The malware was spreading via an altered version of Xcode, Apple’s official app development tool.
The malicious version of Xcode had been uploaded to Chinese cloud file sharing service Baidu and downloaded by some iOS developers in China. Those developers then unknowingly compiled apps using the malicious version of Xcode, and then made those apps available on the iOS App Store.
Chinese developers commonly download new versions of Xcode from servers other than Apple’s official source, due to the large size of Xcode, which can take a long time to download in China.
Versions of Xcode affected are unofficial versions between Xcode 6.1 and Xcode 6.4. Affected iOS devices include any device running a version of iOS that is compatible with the infected apps. This can affect any iOS device, jailbroken or not.
Apps infected via XcodeGhost can collect the following information about infected devices:
- Current time
- Current infected app’s name
- The app’s bundle identifier
- Current device’s name and type
- Current system’s language and country
- Current device’s UUID
- Network type
The infected the apps can also receive commands from an attacker to perform the following actions:
- Prompt a fake alert dialog to phish user credentials;
- Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps;
- Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.
While it has been suggested that over 300 apps have been infected, the following apps have so far been confirmed as being infected (via Business Insider):
- Didi Chuxing (developed by Uber’s biggest rival in China Didi Kuaidi)
- Angry Birds 2 (Only listed on the Business Insider list, we’re still checking to confirm…)
- Micro Channel
- IFlyTek input
- Railway 12306 (the only official app used for buying train tickets in China.)
- The Kitchen
- Card Safe
- CITIC Bank move card space
- China Unicom Mobile Office
- High German map
- Jane book
- Eyes Wide
- Mara Mara
- Medicine to force
- Pocket billing
- Quick asked the doctor
- Lazy weekend
- Microblogging camera
- Watercress reading
- CamCard (a very popular business card reader.)
- Stocks open class
- Hot stock market
- Three new board
- The driver drops
- Telephone attribution assistant
- Marital bed
- Poor tour
- I called MT
- I called MT 2
- Freedom Battle
Apple issued the following statement to:
“We’ve removed the apps from the App Store that we know have been created with this counterfeit software. We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”
If you have any of the above apps installed on your iOS device, immediately uninstall the app, and update to a newer version that has been cleaned of the malware. It is also suggested that users also reset any passwords that have been entered on the infected device.
Developers should delete any unofficial versions of Xcode that they may have installed, and should then install official versions of Xcode 7 or the Xcode 7.1 beta. Both are available from the official Apple Developer Center, and the Mac App Store, free of charge.