What happened?

According to recent reports, some versions of Xcode used by developers in China have been compromised and are being used to inject tracking codes in iOS apps without developer knowledge. (1,2). Unaware of the injection, those developers then released their compromised iOS apps to the App Store which were then later approved by Apple. At the time of writing this post, the compromised apps are still available in the App store. Any user who has installed and launched these compromised apps will be a victim of these tracking codes.

This is a significant compromise of Apple’s app store. Apple notoriously manually reviews all app submissions and, in comparison to Android stores, has been relatively malware-free. This is the most widespread and significant spread of malware in the history of the Apple app store, anywhere in the world.

The compromised version of Xcode was hosted on Baidu Pan. It is unlikely that Baidu was aware of the compromised version of Xcode. The company removed the files yesterday when news of the compromise surfaced. Because of slow download speeds from foreign websites in China, many Chinese developers prefer to download apps from domestic websites. Many Chinese also use download software like Xunlei, rather than downloading directly from the official Mac App Store.

According to users reports, many prominent Chinese apps are affected. We have included links to the compromised apps in the list below but DO NOT DOWNLOAD these apps. We are simply linking to them so that users can recognize the apps. Affected apps include:

Wechat The most popolar messaging app in China

网易云音乐 (NetEase Cloud Music) - Netease free Spotify-type app

网易公开课 (NetEase) - open education app, used by many students

中信银行动卡空间 (China CITIC Bank Card Space)

中国联通手机营业厅 (China Unicom Shop)

滴滴出行 (DiDi travel) - the popular car sharing app

12306 - only train ticketing website

高德地图 (Auto-Navigation)

It is important to note that the two Netease apps are official apps from Netease. Netease is one of the biggest internet companies in China. Wechat is the most popular messaging app in China. China Unicom is one of China’s major telecom companies and CITIC is one of the country’s largest banks. These apps are likely to be extremely popular and highly trusted by users. It is extremely irresponsible for developers in those companies to ignore digital signature warnings and to continue to use compromised Xcode. If the malware author did a targeted attack against wechat or CITIC, he would have been able to gain users credentials, collect chat history, contact list or even banking details!

Netease has already posted a warning about its music app for users:

Wechat also acknowleged the problem.

What can compromised users do to mitigate this attack?

If you are an iPhone user, there is little you can do. Do not download the above apps. Do not give permissions to apps unless absolutely necessary. Enable two-step verification for Apple ID. Even though this specific malware does not seem to target Apple IDs at this time, it is possible that in the future more aggressive malware will be used to display a fake window asking for sign-in credentials. According to paloaltonetworks, the current malware is affecting:

Current time

Current infected app name

The app bundle identifier

Current device name and type

Current system language and country

Current device UUID

Network type

If you are an iOS developer, however, a lot can be done to secure your development system:

Always download Xcode from the official Mac App Store. For other developer tools, always download these from official sources.

Always check the digital signature of developer tools. It is irresponsible for developers to ignore signature warnings. Xcode clearly should have been signed by Apple; all other versions should have produced user warnings.

Separate your development system with your everyday system. Development systems should be used solely for development and not for browsing random sites. If physical separation presents too much of a problem for developers, at the very least, a dedicated user account for development should be used.

What should Apple do to mitigate this compromise?

Apple should immediately scan their entire App Store to look for malware signatures and to remove all apps that are affected.

Apple’s Gatekeeper should implement a pre-loaded list of apps to enforce signature validation. For example, if Xcode and other crucial apps have invalid signatures, the OS should not allow users to bypass and proceed with installation. (This idea is similar to HSTS preload, in an effort to prevent network attacks.)

We have asked Apple to comment on their mitigation strategy in this instance and to outline their plans for future defense mechanisms to avoid a repeat of this situation.

Update: Apple scanned and took down infected apps in the App store and sent emails to urge developers to download Xcode from official sources.

Who is behind the attack and why would somebody create this compromise?

CoderFun first started to release compromised Xcode about 5 months ago.

It seems that this particular malware is being used to collect device information for data mining. However, the malware could have been used more aggressively to collect private information such as contacts, photos, and even iCloud passwords via phishing when combined with other evasion mechanisms to counter manual reviews.



References:

http://drops.wooyun.org/news/8864

http://weibo.com/1708947107/CAVdJ8Epo?from=page_1005051708947107_profile&wvr=6&mod=weibotime&type=comment#_rnd1442530292827

http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/