Tuesday, September 22, 2015

XcodeGhost

Apple (comments):

We recently removed apps from the App Store that were built with a counterfeit version of Xcode which had the potential to cause harm to customers. You should always download Xcode directly from the Mac App Store, or from the Apple Developer website, and leave Gatekeeper enabled on all your systems to protect against tampered software.

John Gruber:

They didn’t attack the App Store itself, instead, they created a hacked version of Xcode that seems to work as expected but inserts the malware payload into the apps it compiles. Why in the world would developers download Xcode from a source other than Apple? Because China’s internet speeds are so slow (and Xcode is a multi-gigabyte download).

Joe Rossignol:

Palo Alto Networks has shared a full list of over 50 infected iOS apps, including WeChat, NetEase Cloud Music, WinZip, Didi Chuxing, Railway 12306, China Unicom Mobile Office and Tonghuashun.

[…]

iOS apps infected with XcodeGhost malware can and do collect information about devices and then encrypt and upload that data to command and control (C2) servers run by attackers through the HTTP protocol.

Joseph Cox:

Apple has now removed over 300 pieces of software from the App Store, after malware that targeted developers managed to create infected iOS apps. On top of that, it looks like the apps are more dangerous to Apple customers than previously thought.

[…]

But according to findings from one researcher, and then built upon by Xiao, the infected apps are also capable of receiving commands from the attacker. These commands can apparently allow a hacker to read and write data to the victim’s clipboard, open specific URLs, or prompt a fake alert on the victim’s screen. Some of these could be used to steal passwords, Xiao claims.

So much for the idea that App Review protects us from malware.

Previously: The CIA’s Xcode.

Update (2015-09-22): Dan Goodin:

This isn’t the first time a malicious app has made its way into the App Store, since there are a handful of other times bad titles have been found. Still, the number of infections and of the iOS users potentially affected appeared to be highly unusual, if not unprecedented. What’s more, Chinese firm Qihoo360 Technology, reportedly has said the number of affected apps is much bigger than originally reported, with a total of 344.

The list of infected apps includes some of the most popular apps in China, including the ride-hailing app Didi Kuaidi. WeChat, which has some 500 million users, was also affected, although the infection was limited only to version 6.2.5. People using version 6.2.6 and later aren’t affected, the chat developer said in a blog post.

Rosyna Keller says that XcodeGhost does not prompt for passwords.

Claud Xiao:

In the current version of the code, XcodeGhost cannot be directly used to phish iCloud passwords. However, by changing a few simple lines of code, it can do that.

Apple:

We’re not aware of personally identifiable customer data being impacted and the code also did not have the ability to request customer credentials to gain iCloud and other service passwords.

Update (2015-10-04): Rainer Brockerhoff:

Needless to say, the new version of RB App Checker Lite also detects the added frameworks and warns: “3 frameworks are suspect: they use system names but are NOT signed by Apple!”.

[…]

Therefore, unless you check the entire app contents with GateKeeper, RB App Checker Lite (or even the codesign command-line utility), it will be humanly impossible to pick out visually — by inspection in the Finder — if anything has been changed inside Xcode. So keep GateKeeper turned on! One suggestion Apple should implement is running GateKeeper tests for Apple-signed software even if GateKeeper has been deliberately disabled.

Update (2021-05-07): Lorenzo Franceschi-Bicchierai (tweet):

As part of the trial against Epic Games, Apple released emails that show that 128 million users, of which 18 million were in the U.S., downloaded apps containing malware known as XCodeGhost from the App Store.

Update (2021-05-10): Dan Goodin:

In September 2015, Apple managers had a dilemma on their hands: should, or should they not, notify 128 million iPhone users of what remains the worst mass iOS compromise on record? Ultimately, all evidence shows, they chose to keep quiet.

Previously:

2 Comments RSS · Twitter

Someone recently suggested that Apple implement a stronger version of Gatekeeper that would strictly enforce signature validation for apps recognised as Apple development tools. All the tools are already in place, it is "simply" a matter of gluing them together.

This seems worth pursuing : when SIP is enabled and a user downloads a bundle named after one of Apple's official development tools, whose names are trademarked and should never be duplicated, enforce signature validation and simply refuse to run if the bundle does not pass.

There is potential for abuse, of course but, given users are less likely to download a pseudo-official copy of Xcode with a name other than Xcode, this might just work in a comfortable majority of cases.

It also seems that Apple ought to implement proper background file scanning before it is too late. The current malware blacklist is a bit of a joke, especially as it is so easy to bypass and utterly ineffective once the malicious app is on the system. How many trojanised copies of Xcode will remain on backups and thumb drives, ready to be restored?

"a stronger version of Gatekeeper that would strictly enforce signature validation for apps recognised as Apple development tools."

How do you plan on recognizing apps that are Apple development tools? There's absolutely nothing that prevents someone from overwriting the signature of every single binary of Xcode and then distribute it as is. It will pass Gatekeeper check, will not be recognized as an Apple development tool.

"[…] when SIP is enabled" […]"

Since Xcode sits in /Applications, its installation is not impacted by SIP. Only the additional files being installed when you open the app for the first time or try to debug an app for the time would be impacted. Since these packages are signed by Apple, as long as the hack does not require to modify the contents of these packages, they would not be affected by SIP.

Also would the accumulation of these additional verifications be effective, please, tell me where to find a rope and a tree because I won't endure waiting for Xcode to be checked three times by Gatekeeper every time I install a new seed of this IDE.

"[…] but, given users are less likely to download a pseudo-official copy of Xcode with a name other than Xcode, this might just work in a comfortable majority of cases. […]"

Because the guys who make/distribute malware are so afraid of infringing an Apple trademark that they would not bother using "Xcode" for the name of the product or they would not be clever enough to use one of the various unicode variations or even the Unicode trick to revert the direction of writing to overwrite any extraneous characters?

"[…]The current malware blacklist is a bit of a joke, especially as it is so easy to bypass and utterly ineffective once the malicious app is on the system. How many trojanised copies of Xcode will remain on backups and thumb drives, ready to be restored?"

The problem is not the list, the problem is Gatekeeper mechanism that is based on the Quarantine flag. So as long as the Quarantine flag is not set, Gatekeeper will do nothing. If you download Xcode from the official Developer website using curl/wget, Gatekeeper will check nothing unless Apple recently made changes to the versions of these command line tools.

--

Side note: in addition to the Apple MAS and Developer servers being slow or throttled by ISPs, there's also the issue that the navigation in the Developer site is so bad since June that finding the download link for something is now an adventure each time.

Leave a Comment