Late last week, Claud Xiao, a researcher at Palo Alto Networks, announced the discovery of new malware that he calls XcodeGhost.
As the story has developed over the weekend, it turns out that this malware has infected at least 39 known iOS apps as of early this morning, all of which made it into the App Store.
(Update, 9/22/2015: It turns out that this is both worse and better than originally thought. New reports show that, by some calculations, nearly 3,500 apps were infected, but that they didn’t actually have the capability to phish passwords as-is.)
The malware uses a method of attack that is new to the Mac world: infecting a compiler. In this case, the compiler in question is Xcode, Apple’s own development environment, used for creating iOS apps, Mac OS X apps, Safari extensions and more.
It seems that, in China, downloading Xcode from Apple’s servers takes a very long time. So it’s a common thing for Chinese developers to get Xcode from third-party sources, distributed from servers within China.
Apparently, someone uploaded a tampered copy of Xcode to a Chinese file-sharing site called Baidu.
Although Baidu has now removed the hacked Xcode files from their servers, the damage has been done. The app was downloaded by Chinese developers and used to develop an unknown number of apps.
The malicious changes to Xcode, however, caused each of these apps to be infected with the same malicious code.
This appears to be a form of the dynamic library hijacking attack that Patrick Wardle wrote a paper on back in March.
Wardle discussed how some apps will dynamically load libraries of code that they look for in one of multiple locations. In some cases, the first place they look for this code is not where the code is found normally.
If a hacker can substitute a fake code library at that location, the program will load it in preference to, or in addition to, the real code library.
The malicious copy of Xcode appears to contain an exploit of exactly that issue. A fake CoreServices.framework was added to the tampered copy of Xcode in such a way that it is loaded automatically, and this framework is also added to all the infected apps.
As of Friday, Xiao had identified 39 apps known to have been created by an XcodeGhost-infected copy of Xcode.
Most of these apps are Chinese, and not available to most of the rest of the world. Others, however, have a more global appeal, such as the WeChat app. (Version 6.2.5 of WeChat is known to be infected. A version 6.2.6 has been released, which is not infected, although there is no mention of this in the WeChat change history on the App Store.)
Initially, Xiao stated that these infected apps would collect some basic information about the device and upload it to one of several sites.
However, by Friday afternoon, he revealed further information that suggested the malware would be capable of more malicious things, like phishing for passwords.
In a bizarre twist, Xiao revealed on Friday night that the apparent author of XcodeGhost had published the source code, and an apology, on GitHub!
It’s hard to know at this point whether this is the real author or real source code, and is a complete mystery as to why someone who had done such a thing would own up to it so quickly.
There are a few very interesting aspects to this new malware. First, of course, is the fact that these infected apps made it into the App Store.
This is easily the largest App Store breach in history.
There is little doubt that there will be some revision of the app review process at Apple as a result, but it’s also certain that this incident will erode consumer confidence in the App Store as a (mostly) unassailable malware-free fortress.
Worse, there was really no way to tell that these apps were infected. Perfectly respectable, legitimate apps turned out to be infected. It’s hard for any user to be on guard against this kind of malware. Especially on iOS, where security features in the system make anti-malware software impossible.
A more subtle point of interest is the fact that this code was also added in such a way that it could affect OS X apps. It’s not known at this time whether any OS X apps may have been infected with XcodeGhost, but it’s easily plausible that there are infected OS X apps in distribution, perhaps also in the Mac App Store.
Finally, as Xiao pointed out, there are other possible scenarios where similar attacks could occur in less-detectable circumstances.
For example, a malicious app opened by the user could, without requiring the entry of an admin password, inject malicious code into the Xcode app using exactly the same technique.
Wardle pointed out back in March that Xcode was vulnerable to this sort of thing, but frighteningly, also pointed the finger at many other OS X apps. Any of those apps could be vulnerable to similar attacks.
If you have one installed on your iOS device, delete it. In fact, I’d go one step further and say to restore your device to factory settings.
Next, be sure to change the passwords on any accounts you may have entered a password for on the affected device.
Even if you don’t have a known infected app, it’s important to update all of your iOS apps. (It’s not always easy to tell which apps may have been made by a Chinese developer.)
If a developer becomes aware of their app being infected, they should issue an update to fix the problem. Hopefully, Apple will take some kind of action to find and remove any further infected apps.