Threat Intelligence

September 20, 2015

min read

First iOS Malware Outbreak | How Many Devices Affected?

XcodeGhost is the latest example that iOS devices, indeed any device, can be subject to attack and that even a highly-curated app store can contain malicious apps.

Lookout Mobile Threat Protection customers are already protected from this malware and do not need to take any further action. For customers using our consumer mobile security solution more information is available here.

XcodeGhost is malicious code inserted into iOS apps using a tampered version of Apple’s Xcode that steals data from iOS devices. The malicious code stealthily made its way into over a number of applications in the Apple App Store without the developers of those apps knowing. Indeed, it’s the largest attack on the App Store we’ve seen to date.

Chinese iOS developers discovered the malware, and it was further researched by Palo Alto Networks. The malicious code may have hundreds of millions of victims and is present in well-known apps such as WeChat, a globally-popular messaging app with over 600 million active users, 100 million of which are outside of the U.S.; and CamCard, a Chinese-created business card reader, that has gained global popularity.

The story is clear for both enterprises and individual users of the iOS platform: there is an increasing amount of data accessible through mobile devices and malicious actors are getting more sophisticated in their attack approach.

How did malware make it into the App Store?

XcodeGhost is an example of compiler malware. Instead of trying to create a malicious app and get it approved in the App Store, XcodeGhost’s creator(s) targeted Apple’s legitimate iOS/OSX app development tool called Xcode to distribute the malicious code in legitimate apps.

XcodeGhost’s creators repackaged Xcode installers with the malicious code and published links to the installer on many popular forums for iOS/OS X developers. Developers were enticed into downloading this tampered version of Xcode because it would download much faster in China than the official version of Xcode from Apple’s Mac App Store. When the developers installed what they thought was a safe Apple dev tool, they actually got a tampered version that would compile the malicious code alongside their actual app’s code.

These developers, unaware that their apps had been tampered with, then submitted those apps to the App Store for distribution to iOS devices.

What does it do?

Once a victim installs and launches apps packaged with this malicious code, the code will steal a number of pieces of information about the device, according to Palo Alto Networks, including:

  • Name of the infected app
  • App bundle identifier
  • Device’s name and type
  • Network information
  • Device’s “identifierForVendor”

It then encrypts this data and sends it back to a command and control (C&C) server.

Lookout is working to independently confirm claims that the malicious code can receive commands from its C&C to open specified URLS and send dialogue prompts to the victim’s screen, allegedly in an attempt to phish data, such as the victim’s Apple ID credentials.

What does this mean?

There are no perfect systems. While Apple has traditionally done an excellent job of keeping malware out of its App Store, malicious actors are always looking for new ways to break through. This is especially true as Apple’s iOS products continue to make headway in marketshare and are used by people and within organizations that may be targeted for attack.

XcodeGhost unfortunately shows that where there’s a will, there’s a way. Bad guys will always look toward potentially lucrative platforms and it’s safe to say iOS, with its popularity and security-reputation, is a target.

What should I do?

Enterprises need to know what kinds of risky and malicious apps are running on their networks to ensure that new threats to any platform are being surfaced and mitigated quickly. Ensuring that you or your employees only download apps from official app marketplaces like the App Store and Google Play are great places to start, despite the fact that malware does slip into them. These stores vet their apps much more heavily and are held to standards third-party app stores aren’t. The reality that no store is perfect, however, must highlight the need for another line of defense in the system.

Customers using our consumer app can read further tips and access a list of the affected apps here. This blog may be a good resource for enterprises to send out to employees. If you feel you may have phished by a threat like this we recommend changing your Apple account password immediately as well as any other account for which you used that password.