Apple has confirmed a security breach in its Chinese App Store which saw nearly forty popular applications infected with malware – a result of app developers being tricked into downloading a compromised version of Apple’s Xcode developer tool kit. The breach, first discovered by researchers at Alibaba Mobile Security, affected a number of popular apps in the region, including WeChat, Didi Kuaidi (an Uber-like service), business card scanning app CamCard, and several others.
According to U.S.-based security firm Palo Alto Networks, which refers to the malware as “XcodeGhost,” 39 iOS applications were affected. The malware could potentially impact hundreds of millions of users, the company said.
The breach was surprising, given Apple’s historically stringent app review policies. However, in this case, the malware authors capitalized on developers’ demand for Apple’s official Xcode software. A compromised version of the Xcode software was uploaded to Baidu’s cloud storage site, promising a faster download than the official version hosted on Apple’s own website, which is slowed due to China’s Great Firewall.
But to even install this affected version of the Xcode software, developers had to ignore a warning which indicated the software was damaged and should be moved to the trash:
@simx @rosyna @schwa their version is signed by Apple, but there are changed/added resources. Gatekeeper complains: pic.twitter.com/VXfsrnqa8T
— Rainer Brockerhoff (@rbrockerhoff) September 20, 2015
//platform.twitter.com/widgets.js
In other words, Apple’s Gatekeeper technology, which prevents non-App Store and unsigned versions of programs, like Xcode, from being installed, was doing its job. Developers, however, ultimately chose to ignore the warnings and proceed to install and use the compromised software.
Then, when app developers used this version of Xcode to code their apps, their apps would then become infected with the malware. (Baidu has since taken down the infected software, it said.)
Palo Alto Networks explains in a blog post that the malicious code uploaded users’ device information and app information to the attackers’ command and control server, which allowed the users’ devices to then be able to receive instructions from the malware’s creator. Some of those instructions included a prompt that would be a fake alert that phished for user credentials; a way to hijack opening special website URLs, which would allow for further exploitation in the iOS system; and the ability to write and write data to the user’s clipboard which could be used to read the user’s password, in the case the password was copied from a password management tool.
One developer said that XcodeGhost had already launched phishing attacks aimed at acquiring users’ iCloud passwords, Palo Alto Networks noted.
It’s unclear who’s behind the attack at present, the security firm says, but it did indicate that the techniques used could be those that “criminal and espionage groups” would use to gain access to iOS devices.
In a statement, Apple confirmed the security issue and says it removed the infected apps from the iTunes App Store. The company also says it’s working with developers to make sure their apps are not at risk and that they’re using the proper version of Xcode.
The full statement, is as follows:
“Apple takes security very seriously and iOS is designed to be reliable and secure from the moment you turn on your device. We offer developers the industry’s most advanced tools to create great apps. A fake version of one of these tools was posted by untrusted sources which may compromise user security from apps that are created with this counterfeit tool. To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software and we are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”
WeChat, which has over 500 million users, was one of the largest apps affected by XcodeGhost. Parent company Tencent has since posted to its official blog confirming the discovery of the security flaw, noting that only those who were running WeChat v6.2.5 for iOS would have downloaded the infected version of its app. In the new version (6.2.6 or higher), the flaw has been repaired, it said.
In addition, Tencent said that its initial investigations showed that there had been “no theft and leakage of users’ information or money,” but the company would continue to monitor the situation closely.
Though the infected apps have now been pulled from the App Store and Apple is in contact with the affected app developers, several questions still remain.
For starters, it’s unclear at this time how many users may have actually downloaded the malware-laden apps while they were available on the store, and how these users will be notified to upgrade to the most recent version.
In addition, years ago, Apple founder and CEO Steve Jobs confirmed that Apple did, in fact, have a “kill switch” of sorts to remove apps from users’ devices.
At the time, he stated that Apple needed such a feature in the case that a malicious program – like one that stole users’ data – accidentally made its way to the iTunes App Store. “Hopefully we never have to pull that lever, but we would be irresponsible not to have a lever like that to pull,” Jobs said.
Now that this exact scenario has come to pass, we wonder if Apple will indeed proceed to use this mechanism.
Update: Lookout has a full list of affected apps here with specific instructions on how to find out if you have an affected or patched version. The company is continuing to add to this list as it independently confirms which ones are affected.