{"id":9965,"date":"2015-09-23T09:00:09","date_gmt":"2015-09-23T13:00:09","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=9965"},"modified":"2017-09-24T08:27:59","modified_gmt":"2017-09-24T12:27:59","slug":"xcodeghost-compromises-apps-in-app-store","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/xcodeghost-compromises-apps-in-app-store\/9965\/","title":{"rendered":"Allegedly 40 apps on App Store are infected"},"content":{"rendered":"<p>A worm was found in the safe garden of Apple. About 40 iOS apps are now being cleaned out of the App Store because they turned out to be infected with malicious code, which had been designed to build a botnet out of Apple devices.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/09\/06024118\/xcodeghost-FB.jpg\"><img decoding=\"async\" class=\"aligncenter wp-image-9967 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/09\/06024118\/xcodeghost-FB.jpg\" alt=\"XcodeGhost malware for iOS detected\" width=\"1600\" height=\"1600\"><\/a><\/p>\n<p>The malware XcodeGhost affected dozens of apps, including: WeChat app (600+ million users), NetEase\u2019s music downloading app, business card scanner CamCard, and Didi Kuaidi\u2019s Uber-like car hailing app. To make matters worse, the Chinese versions of Angry Birds 2 was infected \u2013 is nothing sacred anymore?<\/p>\n<p>Apple spends a lot of time and effort to monitor each and every app in the Apple Store. These efforts set App Store apart from Google Play and third-party stores, which were literally stalked by malicious software (at least until Google launched it\u2019s own malware scanning system in 2014).<\/p>\n<p>Against this background, September 2015 seems to be especially unsuccessful for Apple as experts found malware that targeted jailbroken devices and everybody spoke about the \u201c<a href=\"https:\/\/www.kaspersky.com\/blog\/ios-greatest-hack\/9714\/\" target=\"_blank\" rel=\"noopener nofollow\">biggest theft ever involving Apple accounts<\/a><u>,<\/u>\u201d and now <a href=\"http:\/\/www.bbc.com\/news\/technology-34311203\" target=\"_blank\" rel=\"noopener nofollow\">Palo Alto Networks company has found compromised software<\/a> on the App Store.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">XcodeGhost <a href=\"https:\/\/twitter.com\/hashtag\/iOS?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#iOS<\/a> Malware Contained: <a href=\"https:\/\/t.co\/pBYDo6wMJI\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/pBYDo6wMJI<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/apple?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#apple<\/a> <a href=\"http:\/\/t.co\/0DHpiHBMy8\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/0DHpiHBMy8<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/646016290373640192?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">September 21, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h3>What is Xcode, and what exactly is XcodeGhost?<\/h3>\n<p>Xcode is a free suite of tools used by software developers to create apps for iOS and Apple Store. It is officially distributed by Apple, and unofficially by various third parties.<\/p>\n<p>XcodeGhost is malicious software, designed to affect the Xcode and thereby compromise apps, created with infected tools. Affected applications steal users\u2019 private data and send it to the hackers.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Allegedly 40 or even more apps on #AppStore are infected #Apple #malware<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2Fhj9r&amp;text=Allegedly+40+or+even+more+apps+on+%23AppStore+are+infected+%23Apple+%23malware\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<h3>How were the apps compromised?<\/h3>\n<p>Apple\u2019s official Xcode was not compromised, the problem is with the unofficial version of the tool uploaded to the cloud storage service of Baidu (Think China\u2019s Google). It\u2019s a common practice in China to download necessary tools from third sites, and this time it turned out to be very bad habit.<\/p>\n<p>There is a reason why Chinese developers choose unofficial and insecure sites instead of safe official resources. Internet in the country is rather slow; moreover, <a href=\"https:\/\/www.quora.com\/Why-is-the-Internet-so-slow-in-China-and-what-can-be-done-to-speed-it-up\" target=\"_blank\" rel=\"noopener nofollow\">Chinese government limits access to foreign servers<\/a> to three gateways. As installation package of Xcode tools size is about 3.59 GB, downloading it from Apple\u2019s servers could take a decent amount of time.<\/p>\n<p>https:\/\/twitter.com\/panzer\/status\/645823037871292417<\/p>\n<p>So what actor behind the XcodeGhost needed to do was to infect an unofficial pack of tools with a smart and imperceptible malware and let legitimate developers do the job for them. <a href=\"https:\/\/threatpost.com\/xcodeghost-ios-malware-contained\/114745\/#sthash.IbCbIzFP.dpuf\" target=\"_blank\" rel=\"noopener nofollow\">Researchers at Palo Alto Networks determined<\/a> that malicious Xcode package had been available for six months and had been downloaded and used to build numerous new and updated iOS apps. Then they were naturally pushed into the App Store and somehow bypassed Apple\u2019s anti-malware scanning system.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Avoid submitting your app with a compromised version of Xcode by using the new `verify_xcode` fastlane action <a href=\"http:\/\/t.co\/732ubbvUmS\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/732ubbvUmS<\/a><\/p>\n<p>\u2014 Felix Krause (@KrauseFx) <a href=\"https:\/\/twitter.com\/KrauseFx\/status\/646104657119481856?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">September 21, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h3>What\u2019s next?<\/h3>\n<p>Recently Apple <a href=\"http:\/\/mobile.reuters.com\/article\/idUSKCN0RK0ZB20150920\" target=\"_blank\" rel=\"noopener nofollow\">confirmed<\/a> to Reuters that all the known malicious apps were removed from the App Store and that the company is now working with developers to ensure they\u2019re using the right version of Xcode.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Apple Asks Developers To Verify Their Version Of Xcode Following Malware Attack On Chinese App Store <a href=\"http:\/\/t.co\/OtBO21SGX6\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/OtBO21SGX6<\/a> by @sarahintampa<\/p>\n<p>\u2014 TechCrunch (@TechCrunch) <a href=\"https:\/\/twitter.com\/TechCrunch\/status\/646370479587000320?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">September 22, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Unfortunately, the situation is not going to stop here. It\u2019s still unclear how many apps were affected. Reuters notes, that Chinese security firm Qihoo360 Technology Co claims that it had uncovered 344 apps tainted with XcodeGhost.<\/p>\n<p>The incidents can mean the start of a new epoch in cybercrime, with developers being at risk just like unofficial stores and common users. Other criminals can copy the tactics of XcodeGhost creator. Moreover, the SANS Institute reported that the author of XcodeGhost published the malware\u2019s source code on GitHub, and it\u2019s now available for free.<\/p>\n<p>Coincidentally, earlier this year Xcode tools already came into view of media. That time it was in context of the \u201cJamboree,\u201d a secret annual <a href=\"https:\/\/theintercept.com\/2015\/03\/10\/ispy-cia-campaign-steal-apples-secrets\/\" target=\"_blank\" rel=\"noopener nofollow\">security researcher gathering sponsored by the CIA<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">The CIA has waged a secret campaign to defeat security mechanisms built into Apple devices. <a href=\"http:\/\/t.co\/a8kN5pHHtu\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/a8kN5pHHtu<\/a> <a href=\"http:\/\/t.co\/JpkTok0rx6\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/JpkTok0rx6<\/a><\/p>\n<p>\u2014 The Intercept (@theintercept) <a href=\"https:\/\/twitter.com\/theintercept\/status\/575287938080182272?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">March 10, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>During the gathering some security researchers reported that they had created a modified version of Apple\u2019s Xcode, which could sneak surveillance backdoors into any apps created using the tool.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Your legitimate copy of Angry Birds 2 may be infected with malware that steals your private data. How could this happen?<\/p>\n","protected":false},"author":522,"featured_media":9966,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2683],"tags":[14,109,769,78,1250,26,36,423,914,192,97,45,1265,1266],"class_list":{"0":"post-9965","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-apple","10":"tag-apps","11":"tag-china","12":"tag-hackers","13":"tag-ios","14":"tag-iphone","15":"tag-malware-2","16":"tag-mobile-devices","17":"tag-private-data","18":"tag-protection","19":"tag-security-2","20":"tag-smartphones","21":"tag-xcode","22":"tag-xcodeghost"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/xcodeghost-compromises-apps-in-app-store\/9965\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/xcodeghost-compromises-apps-in-app-store\/6030\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/xcodeghost-compromises-apps-in-app-store\/6218\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/xcodeghost-compromises-apps-in-app-store\/6904\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/xcodeghost-compromises-apps-in-app-store\/6633\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/xcodeghost-compromises-apps-in-app-store\/9022\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/xcodeghost-compromises-apps-in-app-store\/4910\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/xcodeghost-compromises-apps-in-app-store\/3722\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/xcodeghost-compromises-apps-in-app-store\/6197\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/xcodeghost-compromises-apps-in-app-store\/9001\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/xcodeghost-compromises-apps-in-app-store\/9022\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/xcodeghost-compromises-apps-in-app-store\/9965\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/xcodeghost-compromises-apps-in-app-store\/9965\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/apple\/","name":"Apple"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/9965","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/522"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=9965"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/9965\/revisions"}],"predecessor-version":[{"id":18857,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/9965\/revisions\/18857"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/9966"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=9965"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=9965"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=9965"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}