Developers who unknowingly used a malicious tool to code their programs uploaded hundreds of malware-infected apps to the iTunes App Store, according to multiple reports.
China-based iOS developers reportedly discovered the malware infection last week, and security researchers around the world have analyzed it.
Called “XcodeGhost,” the malware is hidden in an unauthorized version of a program Apple distributes to create iOS apps.
“XcodeGhost is an example of compiler malware,” said David Richardson, iOS product manager for Lookout Mobile Security.
“Instead of trying to create a malicious app and get it approved in the App Store, XcodeGhost’s creator targeted Apple’s legitimate iOS-OS X app development tool, called ‘Xcode,’ to distribute the malicious code in legitimate apps,” he explained.
“These developers, unaware that their apps had been tampered with, then submitted those apps to the App Store for distribution to iOS devices,” Richardson told TechNewsWorld.
Convenience Trumps Security
Since the discovery of XcodeGhost, Apple has been weeding its walled garden.
It has cleaned out all the known apps created with the counterfeit version of Xcode and is working with developers to make sure they use the right version of the software to rebuild their apps, according to multiple press reports.
Users are bombarded with warnings against downloading apps from questionable sources, so why did the developers choose to download Xcode from a place other than Apple? The answer to that question is convenience.
“Downloading Xcode from Apple when you’re in China could take four or five hours, or even longer,” Ryan Olson, threat intelligence director for Unit 42 at Palo Alto Networks.
“The infected files could be downloaded in an hour,” he told TechNewsWorld.
Ease of access typically isn’t thought of as a security issue, but it may be time to start.
“Everyone needs to seriously think about developer convenience as a security issue,” Richardson said.
“When there’s a hard and an easy way to get something, you need to assume that a large percentage of developers will take the easy option,” he noted. “Apple should consider providing easy access to all tools behind speedy connections globally to help prevent future issues like this.”
Malware Phones Home
The malware XcodeGhost can do several things. It sends information about the app it has infected and the machine it’s running on to a server operated by its creators.
After the malware phones home, it can receive commands from its masters — commands such as display a pop-up box or open a URL.
“They can be used to trick a user into giving up their credentials or cause some other harm,” Palo Alto’s Olson said.
Apple is known for keeping a tight ship when it comes to vetting apps for its ecosystem, so how did it miss these apps?
“Apple may have missed the apps in this case because the two actions that the malware performs are not particularly malicious. The actions are something legitimate applications do,” Olson noted.
“The malware was also rolled up in legitimate applications that Apple trusted,” he added.
One way Apple could prevent an XcodeGhost encore is to accept only apps that are created with Apple-approved software.
“That is likely to be an unpopular decision with the developer community, which wants to write open source tools to develop iOS apps and write Xcode plugins to speed up development,” Lookout’s Richardson said.
The research community has tagged as many as 800 XcodeGhost-infected apps, including WeChat, which has more than 400 million monthly users, Olson said.
WeChat has fixed the XcodeGhost flaw in the latest version of its app, 6.2.6, according to a Saturday blog post, and the WeChat Team urged users to upgrade.
There has been no theft of users’ information or money based on its preliminary investigation, the company said, but it will continue to monitor the situation closely.
Given the success of XcodeGhost as an attack approach, could it attract a wave of copycats in the future?
“I doubt that we’ll see an attack quite like this,” said Thomas Reed, director of Mac Offerings at Malwarebytes.
“This will teach developers not to rely on any version of Xcode other than the one that comes from Apple,” he told TechNewsWorld. “However, I can see malware getting on a developer’s system and infecting Xcode or some other tool in the same way.”
Hackers probably will continue to explore this kind of attack, but developers may have learned a lesson from XcodeGhost, said Amit Sethi, principal consultant for mobile security with Cigital.
However, “this really goes beyond Xcode itself to the entire development tool chain,” he told TechNewsWorld. “Everything has to come from a trusted source; otherwise, if any of those links are broken, they can be injecting malicious code into the binaries you’re producing.”