THE APPLE ECOSYSTEM is well known for very rarely letting any dodgy apps enter it because of the company’s stringent security checks.
But recently, nearly two dozen malicious pieces of software managed to get hosted on the App Store, and subsequently downloaded by Chinese users. This is because attackers found an unorthodox route to exploit: they targeted some versions of the software used by developers to makes apps for iOS and OS X in the first place.
The malware was first highlighted by Chinese developers on Weibo, and was then analyzed by researchers from Alibaba. Security company Palo Alto Networks then verified the results.
The hack all hinges around Xcode, a tool used to create iOS and OS X apps. Typically, Xcode is downloaded directly from Apple for free. However, it is possible to get Xcode from other sources too, such as developer forums. Some versions of Xcode found on Baidu Yunpan, a Chinese file-sharing service, come packaged with extra lines of code. The Alibaba researchers have dubbed these malicious variants “XcodeGhost.”
Apps constructed with XcodeGhost code will collect a bunch of information about a customer’s device once the app has been downloaded. The data siphoned includes the current time, the name of the device, and the network type—none of which is anything a hacker could really use against you.
One of the apps that passed Apple’s security checks was NetEase Cloud Music, which, according to a screenshot provided by Palo Alto Networks, has nearly 500 ratings, averaging out at four and a half stars. Claud Xiao, a senior malware researcher from Palo Alto Networks, tells WIRED in an email the company had verified over 20 apps that were infected.
“Some of them are very popular and have tens of millions of installations,” Xiao writes.
The iOS users who downloaded these apps, first of all. However, the apps analyzed were reportedly only from the Chinese App Store, so it doesn’t look like customers from other areas of the world need to worry.
Also, any developers who obtained their copy of Xcode from an unofficial source could be affected, as there is a chance their products are not totally above board. XcodeGhost could also affect developers creating enterprise apps. These are apps made by companies specifically for their own employees’ devices, so they don’t have to go through any sort of Apple security check. However, “that’s a pretty obscure attack,” Charlie Miller, asecurity researcher at Uber who got his own malicious software onto the App Store in 2011, tells WIRED in a phone interview.
How Severe Is This?
The malware in the App Store itself is not concerning, but there’s a broader issue here: the way in which it got past Apple’s screening process in the first place.
“You might completely trust the app developer, and that developer might be completely trustworthy, but this is a case where the app wasn’t,” Miller said. That, and the fact that software made from a tampered version of Xcode found its way onto the App Store, should give developers pause.
Apple did not immediately return a request for comment.
But what about consumers, and the people who downloaded the malicious apps? They should be only slightly concerned. “I wouldn’t worry too much,” Miller says. The apps that did get through didn’t seem to do any really nasty stuff. “If you made it really, obviously bad, probably [Apple] would catch it,” Miller says.
The bottom line for customers is, if you’ve downloaded one of these dodgy apps, delete it, and keep up with reports of other ones slipping through. What should developers do to protect their own apps and their customers?
“The moral of the story is: don’t download random crap from Chinese sites,” Miller says.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.