Tech giant Apple has moved quickly to take down apps — reportedly a large number of apps — from its App Store. The move comes after a security research firm revealed 39 iOS apps were infected by the XcodeGhost malware.
The apps on the list include titles that are especially popular in China, including Didi Kuaidid, an Uber-like transportation app. The WeChat App, which boasts about 500 million users, was also on the list, as was business card scanner app CamCard.
“To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Christine Monaghan, an Apple spokeswoman, said in a statement.
Xcode Is Deeply Hidden
Security firm Palo Alto Networks published the threat report on September 17, pointing to Chinese iOS developers that had discovered a new OS X and iOS malware on Chinese microblogging site Sina Weibo. Alibaba researchers posted an analysis report on the malware and called it XcodeGhost.
“The primary malicious component in the XcodeGhost infected version is ‘CoreServices.’ What is different from all previous OS X and iOS malware instances is that this file is neither a Mach-O executable, nor a Mach-O dynamic library, but is a Mach-O object file that is used by LLVM linker and can’t directly execute in any way,” Claud Xiao of Palo Alto Networks said in a blog post. “This abnormal file format will cause crashes or errors when analyzing it by format parsers like MachOView, 010 Editor (with Mach-O template) or jtool.”
XcodeGhost implements malicious code in its own CoreServices object file, and copies this file to a specific position that is one of Xcode’s default framework search paths, he said. Essentially, that means the code in the malicious CoreServices file will be added into any iOS app compiled with the infected Xcode without the developers’ knowledge.
“It’s difficult for iOS users or developers to be aware of this malware — or similar attacks — because it is deeply hidden, bypassing App Store code review,” Xiao said. “Because of these characteristics, Apple developers should always use Xcode directly downloaded from Apple, and regularly check their installed Xcode’s code signing integrity to prevent Xcode from being modified by other OS X malware.”
Which Devices Have Been Exposed?
We turned to Ken Westin, senior security analyst at advanced threat protection firm Tripwire, to get his perspective on the Xcode vulnerability. Overall, the Xcode is having a major impact on the iOS ecosystem and has evaded Apple’s code review process, he told us.
“This attack uses an interesting attack vector by focusing on mobile development tools,” Westin said. “Legitimately installed versions of Xcode can also be affected via targeted malware, which opens up mobile application development teams to additional risk.”
Other attackers may potentially target these same vulnerabilities, according to Westin. That means Apple needs to issue a patch quickly.
“But Xcode isn’t the only vulnerability worth addressing; Apple will need to detect which malicious iOS devices have already been exposed,” Westin said. “They may need to implement multiple points of remediation.”