iOS apps in Apple App Store compromised with XcodeGhost malware

Apple is busy today cleaning up apps from its App Store in China found to be infected with malware that can allow attackers to steal data about the users. The compromise—dubbed XcodeGhost–was discovered in Apple’s Chinese App Store and impacts a variety of popular apps, including WeChat, CamCard, and WinZip. It’s estimated that hundreds of millions of users are affected by the infected apps.

Apple enforces fairly strict control over which apps get into its App Store. One of the things that makes the iOS mobile platform more secure than Android—its primary rival—is the fact that developers have to submit apps to Apple to be vetted before they’re allowed to be distributed through the App Store. The stringent process of getting an app approved should ostensibly include analyzing apps for vulnerabilities and malicious code.

The reason the malware is named XcodeGhost is because of how the attackers were able to get the malicious apps into the Apple App Store. The apps in question were apparently infected using a backdoor approach. The attackers created a compromised counterfeit version of Apple’s Xcode software, which is used to build iOS apps, and lured developers to download and use it. Apps built using the fake Xcode include malicious code that grants the hackers access to sensitive information on the devices that run them.

“XcodeGhost is the latest example that iOS devices, indeed any device, can be subject to attack and that even a highly-curated app store can contain malicious apps,” declared Aaron Cockerill in a blog post from Lookout.

Gavin Reid, VP of threat intelligence at Lancope, explains, “You’re only as strong as your weakest link. Here we have the walled garden of iTunes being toppled by third- party use of a developer software package being distributed out of China.”

Lookout states that the XcodeChat malware may affect hundreds of millions of victims. WeChat is a very popular messaging app with more than 600 million active users, and CamCard is Chinese-created business card reader app that is used around the world.

Reid says there’s not a lot iOS users can do. “In this case there is little a user can do to protect him or herself. The fix for this is better care from the application developers (to security), and better verification from Apple. Apps like WeChat are used all over the world and there are people running apps developed in China everywhere.”

According to a post from BBC, “Apple has said it is taking steps to remove malicious code added to a number of apps commonly used on iPhones and iPads in China.”

Tony Bradley: I have a passion for technology and gadgets--with a focus on Microsoft and security--and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 4 dogs, 7 cats, a pot-bellied pig, and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@xpective.net. For more from me, you can follow me on Threads, Facebook, Instagram and LinkedIn.

View Comments (3)

    • I believe that information is false. Lookout has only found 39 apps in the App Store compromised from XcodeGhost--and none of those apps is installed on any of the many iOS devices in my home I don't think. A Chinese security firm claims the number of affected apps may be nearly 10 times that--current count 344.

      The issue is more regional--affecting China mostly. There are roughly 500 millions people around the world who use WeChat--which is affected--but A) Just because 500 million people use the app doesn't mean 500 million downloaded the compromised version, and B) The current version of the app is not infected--just version 6.2.5.

      It is undeniably a big deal and it's probably that they haven't yet found ALL of the potentially affected apps--plus there are suggestions that it could also impact some Mac OS X apps built using compromised versions of Xcode. We shall see, but I don't think the sky is falling just yet.

      • Go to PaloAlto site, virus can open link and execute on device. However you communicate you can easily infect another. They said over 5000 apps were infected.

Related Post