What is XcodeGhost?
XcodeGhost is a new iOS malware arising from a malicious version of Xcode, Apple’s official tool for developing iOS and OS X apps.
How is XcodeGhost distributed?
A malicious version of Xcode was uploaded to Chinese cloud file sharing service Baidu and downloaded by some iOS developers in China.
Chinese developers then unknowingly compile iOS apps using the modified Xcode IDE and distribute those infected apps through the App Store. Those apps then managed to pass through Apple’s code review process, enabling iOS users to install or update the infected apps on their devices.
Which devices are affected?
iPhone, iPad and iPod touch models running an iOS version compatible with any of the infected apps. The malware affects both stock and jailbroken devices.
Which apps are affected?
Palo Alto Networks has shared a full list of 39 infected iOS apps, including WeChat, NetEase Cloud Music, WinZip, Didi Chuxing, Railway 12306, China Unicom Mobile Office and Tonghuashun.
How many users are affected?
XcodeGhost potentially affects more than 500 million iOS users, primarily because messaging app WeChat is very popular in China and the Asia-Pacific region.
Which unofficial versions of Xcode are affected?
All unofficial versions between Xcode 6.1 and Xcode 6.4.
How does XcodeGhost put my iOS devices at risk?
iOS apps infected with XcodeGhost malware can and do collect information about devices and then encrypt and upload that data to command and control (C2) servers run by attackers through the HTTP protocol. The system and app information that can be collected includes:
Current infected app’s name
The app’s bundle identifier
Current device’s name and type
Current system’s language and country
Current device’s UUID
Palo Alto Networks also discovered that infected iOS apps can receive commands from the attacker through the C2 server to perform the following actions:
Prompt a fake alert dialog to phish user credentials;
Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps;
Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.
Can XcodeGhost affect users outside of China?
Yes. Some of the iOS apps infected with XcodeGhost malware are available on the App Store in countries outside of China. CamCard, for example, is a popular business card reader and scanner app available in the United States and several other countries, while WeChat is a popular messaging app in the Asia-Pacific region.
Why would some Chinese developers download Xcode from Baidu?
Xcode is a large file that can take a long time to download from Apple’s servers in China, leading some developers to download Xcode from unofficial sources.
How are Apple and Chinese developers dealing with XcodeGhost?
Palo Alto Networks claims that it is cooperating with Apple on the issue, while multiple developers have updated their apps to remove the malware.
How do I protect myself against XcodeGhost?
iOS users should immediately uninstall any infected iOS app listed here on their devices, or update to a newer version that has removed the malware. Resetting your iCloud password, and any other passwords inputted on your iOS device, is also strongly recommended as a precautionary measure.
Developers should install official versions of Xcode 7 or Xcode 7.1 beta from Apple’s website for free and avoid downloading the software from unofficial sources.