Apps Infected With Information Stealing Malware Found In Apple’s Chinese App Store
The iOS App Store is usually a trustworthy source of software, because of Apple’s stringent security checks. However, recently, it was found out number of Chinese apps hosted on the official Apple App Store were infected with some dodgy code siphoning off information from users’ phones. It seems that the hackers have targeted some versions of the software used by developers to makes apps for iOS and OS X in the first place.
According to the security experts, even popular Apps like WeChat, a hugely popular messaging and social networking app, and Didi Kuaidi, Uber’s chief rival in China, carried the threat.
The hack entirely depends around Xcode, a tool used to create iOS and OS X apps. Generally, Xcode can be downloaded directly from Apple for free. However, it is possible to get Xcode from other sources too, such as developer forums. The problem started when developers downloaded altered versions of Xcode (named “XcodeGhost” by Alibaba researchers) from third-party sites.
Many developers chose to grab Xcode from the Baidu cloud file sharing service rather than straight from Apple. But somehow those downloads had been tweaked to add malware to apps constructed with the altered Xcode, so they would grab seemingly innocuous data from iPhones, such as device name and basic network information.
However, the malware is not so delicate. Palo Alto Networks senior malware researcher Claud Xiao told Forbes, “it can be remotely controlled by the attacker to phish or exploit local system or app vulnerabilities”. That makes XcodeGhost potentially more dangerous and it seems to be an entry point onto iPhones for further exploitation.
Ryan Olson, intelligence director of the Unit 42 research unit at Palo Alto Networks, explained further: “After contacting the command and control server to upload information about the infected device, the malware retrieves an encrypted response from the server. This response contains multiple possible commands. One of them specifies a message to send to the user in the form of an alert prompt.”
“We have evidence that this was used to ‘phish’ iCloud credentials from users of infected apps. The response can also contain a URL which the app will then open. We don’t know how this is being used, but it could be used to send other apps on the phone to potentially malicious resources.”
Once the app has been downloaded, apps developed with XcodeGhost code will collect a number of details about a customer’s device. The data extracted includes the name of the device, UUID, language, country network type and the current time —none of which is anything that a hacker could really use against you. Not a huge breach, but no one wants to be tracked by unknown sources.
Any developers who obtained their copy of Xcode from an unofficial source could be affected. According to US-based Palo Alto Networks, it looked like the infections were contained to Chinese apps at first and largely affected Chinese users. However, it has now become obvious a far larger range of apps were infected, affecting hundreds of millions of users across the world. The firm noted that CamCard, the most popular business card reader and scanner in the US and many other countries, contained XcodeGhost.
Developers creating enterprise apps could also be affected by XcodeGhost. These are apps made by companies specifically for their own employees’ devices, so they don’t have to go through any sort of Apple security check. However, “that’s a pretty obscure attack,” Charlie Miller, a security researcher at Uber who got his own malicious software onto the App Store in 2011, told Wired.
While the malware in the App Store itself is not a concern, the bigger question here is that how did it got past Apple’s strict security checks.
“You might completely trust the app developer, and that developer might be completely trustworthy, but this is a case where the app wasn’t,” Miller said. The fact is how the software made from a tampered version of Xcode found its way onto the App Store.
Apple has not responded to requests for comment about XcodeGhost and the infected apps.
Should the consumers and people who have downloaded the malicious apps be worried? Maybe only slightly. “I wouldn’t worry too much,” Miller says. The apps that did get through did not look to do any unpleasant stuff. “If you made it really, obviously bad, probably [Apple] would catch it,” Miller says.
The moral of the story is that if you have downloaded one of these unreliable apps, delete it, and follow up with reports of other ones slipping through. Also, developers shouldn’t be downloading their tools from random third-party sites.