The Xcode Ghost In Your Apps

Posted on 2015-10-15 by mike

We are seeing a number of instances where people have installed legitimate applications from the Apple App store, and their phone is communicating with the Xcode Ghost malware infrastructure across the network. This sort of malware infection is a bit unusual as :-

  1. This is the first serious outbreak of malware to be found in the Apple app store.
  2. This is almost identical in concept to one of the classic security attacks (Reflections on Trusting Trust).
  3. Specific versions of normal, legitimate, and fairly widely used applications were “trojaned” by a malware author.

The answer to the problem of what to do with an infected device is simple: Upgrade the applications in use. Indeed if you are not sure if you are infected or not then upgrade.

What Is Xcode?

Xcode is a suite of applications produced by Apple for use by developers. The developers use Xcode to compile source code into the binary language that computers understand. Every application on your iThingie (iPhone or iPad, plus Apple laptops and desktops) has been compiled by Xcode.

Or by a version of Xcode that has been “hacked” so that applications built with it are loaded with malware.

How Did This Happen?

Versions of Xcode distributed by Apple are and were safe. What the malware author did was to produce “hacked” versions of Xcode and made them available at alternative download sites.

For some reason, some application developers of legitimate applications downloaded Xcode from those alternative download sites, and the applications they compiled was “trojaned” with malware.

What Was The Damage?

The trojaned applications sent data that the application had access to via the network to the malware author’s command and control servers. The data that was sent was relatively benign, but passwords associated with known to be infected applications should be changed.

Links

This entry was posted in Malware, Technical and tagged , , , , , . Bookmark the permalink.