XcodeGhost malware sneaks into the App Store, spooks millions of iOS users

Red ghostIf you're writing software for iOS or OS X, chances are that you will use Apple's Xcode library.

But if you're a programmer with a flakey internet connection, you may decide that you can't be bothered trying to download it from Apple's own servers, but instead download it from elsewhere on the net.

That could turn out to be an unfortunate mistake.

Scores of iOS apps have been uncovered infected with the XcodeGhost malware, all compiled with a poisoned version of Xcode.

Amongst the apps said to be infected is WeChat, a messaging app developed by Tencent that is used by millions of people worldwide.

Watch my video to find out more, and check out the blog posts published by the security experts at Palo Alto Research.

Remember you can subscribe to my YouTube channel to catch up with my video rants and raves.

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , ,

7 Responses

  1. coyote

    September 19, 2015 at 1:17 am #

    It is always a mistake to not use official download locations (whether that is an official mirror or the provider) and you should always – without fail – verify the download matches the hash (assuming the vendor offers one) – even if they aren't 100% fool proof (what is?). The fact the legit hosts could be compromised makes this even more obvious (at least to those who consider security – and many programmers unfortunately do not, which is something they should be ashamed of but probably don’t even know what mistakes they made).

    I guess the next step is damage control attempts from the careless programmers… And of course more claims that only Windows is vulnerable to malware will follow.

  2. The Doctor

    September 19, 2015 at 6:48 pm #

    Talk about lazy. What is so hard about going to Apple's App store and downloading Xcode straight from Apple? The app store has the app already installed on the computer. Granted sometimes that Apple's servers get overwhelmed with requests (for example people getting iOS 9 at the time of this writing – lucky i have it already), it should not be so bad to just wait until you can get Xcode from Apple directly instead of trying to find it somewhere else and getting a surprise.

    I am taking a Mac, iPhone, iPad programming class right now and we are on week 1 and it was no big deal to download Xcode so I don't see why anyone would bother looking for it anywhere else on the web.

  3. Viola

    September 19, 2015 at 7:49 pm #

    Ok then, so whats the 'next step' incase one had any of the infected apps installed on ones non-jailbroken ipad? Since Apples idea that a walled garden is 'enough' protection where does this leave us endusers since no antimalware/-virus app is currently available in the App Store? Im sick and tired of this massively escalating hacker-'trend'….. As it is now im already spending so much money and energy in best practices and anti-hacking prevention on every front that its becoming ridiculous. Any pointers to get rid of this current xcodeghost 'invasion'? Currently I uninstalled the apps in question but that hardly would be 'enough', I fear?

    Best,
    Viola

    • David Brooks in reply to Viola.

      September 20, 2015 at 8:33 pm #

      Have you tried Malwarebytes?

      https://www.malwarebytes.org/antimalware/mac/

  4. Armus

    September 19, 2015 at 10:32 pm #

    but, but… apple can't be hacked. they are invincible. We believe in Steve. It can't happen. lalalalalal not goiing to listen. lalalalalala.

  5. The Doctor

    September 21, 2015 at 12:01 pm #

    It is not that Apple can not be hacked. All computers can be hacked. Just some are a bit harder than others. It seems that because of the size of Xcode from Apple's servers (3.9 gigabytes), the companies that downloaded Xcode from another source thought they were getting a smaller size version of Xcode that was easier to download. They were not aware that they are getting a version of Xcode that was modified to have malware as a result. They started programming apps using the infected version of Xcode and now Apple had to go through their software based to remove the infected versions of the app.

    This does bother me though. I thought Apple tested anything submitted to them just to see if somewhere was attempting things done by malware so now Apple's testing comes into question.

  6. Simon

    September 21, 2015 at 12:24 pm #

    In light of this, Apple should;

    – Publicly list these apps and/or notified users if they've downloaded it
    – App developers affected should be made to rewrite their apps or face being banned and/or have their apps revoked, and
    – the App Store should implement a stronger vetting process on the who and what are allowed.

    The p1ssing contest between Apple, Google and Microsoft on who has the highest number of apps has probably contributed to the amount crud that's been allowed in the first place.

    I think they're all are guilty of this at one point or another.

Leave a Reply