Blog

Millions of iOS users were affected by the XCodeGhose malware as quite a large number of apps were infected. The hackers had taken an unusual approach and decided to hack the software the app was used to build rather than the app itself. It helped them get plenty of infected app that made their way to the app store with malicious codes, undetected. Apple made an official release of the top 25 app store apps that were affected by this threat.

How The Hackers Gained Access

The concept of tool infection is not new, it’s a known fact that hackers infect counterfeit softwares and release it through various unreliable sources. But, in the case of XCodeGhost they took Apple’s original product and made some base level changes with the infected codes and re-distributed it, as the real deal to iOS developers.

Why Will Developers Fall For It?

The download of the XCode, the official tool for Apple to build apps, in China takes a lot of time through the official server due to slower internet connection and other issues. The hackers used this point to their advantage and uploaded the infected software through the Baidu cloud sharing service. This lets the developers download the tool faster using the mirror link and improve their development time.

A Google search for the term “Xcode 下载” shows the multiple link where the infected files were uploaded. About six months ago, someone had posted links and information in all leading forums and sites. The infected files from version 6.0 to 7.0 were retrieved from the Baidu cloud sharing service. Once Baidu was informed about these files, it was removed completely.

How The XCodeGhost Targets iOS Device

Paloalto Network has diagnosed, what these malicious codes can do, once the iOS user downloads the infected app

1. Collect user information and upload to the control (C2) server.
2. Can prompt a duplicate alert box and phish for user credentials.
3. Exploit the vulnerabilities of iOS system and app by hijacking user’s device and opening specific URLs.
4. Can access content from the user’s clipboard, dangerous as the hackers can access their password if it’s copied from any password management tool.

A user can be exploited completely if the hackers hijack their device. These dangerous factors make XCodeGhost one of the scariest attack on Apple.

How Apple Retracted

They have removed all the infected apps from the app store. Once the app developers have cleared the particular app, it is re-uploaded after it passes the updated review process. Apple also blamed the developers for not following the ethical development process and downloading the XCode from unreliable sources. They urged developers to download the XCode software from the Apple’s development suite only and keep Gatekeeper enabled at all times. They also announced that no customer data was released during the peak attack period.

The issue mainly raised in China as the counterfeit XCode app was circulated amongst those forums. There are plenty of iOS apps designed for enterprises that are not distributed through the app store, such enterprise apps are under a huge risk if they have an infected app. It’s essential that you get your apps developed from reputed mobile app developers, who are aware of their code of conduct and follow Apple’s guidelines at all times.