{"id":12319,"date":"2015-09-22T13:50:46","date_gmt":"2015-09-22T17:50:46","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=12319"},"modified":"2021-05-10T15:40:19","modified_gmt":"2021-05-10T19:40:19","slug":"xcodeghost","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2015\/09\/22\/xcodeghost\/","title":{"rendered":"XcodeGhost"},"content":{"rendered":"

Apple<\/a> (comments<\/a>):<\/p>\n

We recently removed apps from the App Store that were built with a counterfeit version of Xcode which had the potential to cause harm to customers. You should always download Xcode<\/a> directly from the Mac App Store, or from the Apple Developer website, and leave Gatekeeper enabled on all your systems to protect against tampered software.<\/p><\/blockquote>\n

John Gruber<\/a>:<\/p>\n

They didn’t attack the App Store itself, instead, they created a hacked version of Xcode that seems to work as expected but inserts the malware payload into the apps it compiles. Why in the world would developers download Xcode from a source other than Apple? Because China’s internet speeds are so slow<\/a> (and Xcode is a multi-gigabyte download).<\/p><\/blockquote>\n

Joe Rossignol<\/a>:<\/p>\n

Palo Alto Networks has shared a full list of over 50 infected iOS apps<\/a>, including WeChat, NetEase Cloud Music, WinZip, Didi Chuxing, Railway 12306, China Unicom Mobile Office and Tonghuashun.<\/p>\n

[…]<\/p>\n

iOS apps infected with XcodeGhost malware can and do collect information about devices and then encrypt and upload that data to command and control (C2) servers run by attackers through the HTTP protocol.<\/p><\/blockquote>\n

Joseph Cox<\/a>:<\/p>\n

Apple has now removed over 300 pieces of software from the App Store, after malware that targeted developers managed to create infected iOS apps. On top of that, it looks like the apps are more dangerous to Apple customers than previously thought.<\/p>\n

[…]<\/p>\n

But according to findings from one researcher, and then built upon by Xiao, the infected apps are also capable of receiving commands from the attacker. These commands can apparently allow a hacker to read and write data to the victim’s clipboard, open specific URLs, or prompt a fake alert on the victim’s screen. Some of these could be used to steal passwords, Xiao claims.<\/p><\/blockquote>\n

So much for the idea that App Review protects us from malware.<\/p>\n

Previously: The CIA’s Xcode<\/a>.<\/p>\n

Update (2015-09-22): Dan Goodin<\/a>:<\/p>\n

This isn’t the first time a malicious app has made its way into the App Store, since there are a handful of other times bad titles have been found. Still, the number of infections and of the iOS users potentially affected appeared to be highly unusual, if not unprecedented. What’s more, Chinese firm Qihoo360 Technology, reportedly has said<\/a> the number of affected apps is much bigger than originally reported, with a total of 344.<\/p>\n

The list of infected apps includes some of the most popular apps in China, including the ride-hailing app Didi Kuaidi. WeChat, which has some 500 million users, was also affected, although the infection was limited only to version 6.2.5. People using version 6.2.6 and later aren’t affected, the chat developer said in a blog post<\/a>.<\/p>\n<\/blockquote>\n

Rosyna Keller<\/a> says that XcodeGhost does<\/a> not<\/a> prompt for passwords. <\/p>\n

Claud Xiao<\/a>:<\/p>\n

In the current version of the code, XcodeGhost cannot be directly used to phish iCloud passwords. However, by changing a few simple lines of code, it can do that.<\/p><\/blockquote>\n

Apple<\/a>:<\/p>\n

We’re not aware of personally identifiable customer data being impacted and the code also did not have the ability to request customer credentials to gain iCloud and other service passwords.<\/p><\/blockquote>\n

Update (2015-10-04): Rainer Brockerhoff<\/a>:<\/p>\n

\n

Needless to say, the new version of RB App Checker Lite also detects the added frameworks and warns: “3 frameworks are suspect: they use system names but are NOT signed by Apple!”.<\/p>\n

[…]<\/p>\n

Therefore, unless you check the entire app contents with GateKeeper, RB App Checker Lite (or even the codesign command-line utility), it will be humanly impossible to pick out visually — by inspection in the Finder — if anything has been changed inside Xcode. So keep GateKeeper turned on! One suggestion Apple should implement is running GateKeeper tests for Apple-signed software even if GateKeeper has been deliberately disabled.<\/p>\n<\/blockquote>\n\n

Update (2021-05-07): Lorenzo Franceschi-Bicchierai<\/a> (tweet<\/a>):<\/p>\n

\n

As part of the trial against Epic Games, Apple released emails that show that 128 million users, of which 18 million were in the U.S., downloaded apps containing malware known as XCodeGhost from the App Store.<\/p>\n<\/blockquote>\n\n

Update (2021-05-10): Dan Goodin<\/a>:<\/p>\n

\n

In September 2015, Apple managers had a dilemma on their hands: should, or should they not, notify 128 million iPhone users of what remains the worst mass iOS compromise on record? Ultimately, all evidence shows, they chose to keep quiet.<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n