Malware infects hundreds of apps in Apple’s official store
The infected applications are capable of receiving commands from the attacker to prompt fake alert dialogs, reading and writing the contents of clipboard, and transmitting information about a user’s device.
Chinese security companies have documented 344 applications found to have been affected. Among them were several apps widely used in China, such as the instant messaging app WeChat, the car-hailing app DidiChuxing, and the train ticket-purchasing app Railway 12306. The breach also affected finance apps and games such as Angry Birds 2, popular in the West.
According to US-based cybersecurity company Palo Alto Networks Inc., the attackers infiltrated the App Store via the developers of the mobile applications, who were tricked into using a compromised version of Apple’s developer tool kit Xcode.
The breach occurred when Chinese developers were looking for the newest version of Apple’s developer tools, Xcode 7.1, which was downloading very slowly from the US-based servers. Many developers turned to a Chinese cloud site that hosted what they believed was authentic Xcode. What they got was XcodeGhost, the developer kit laced with malware.
The malicious code was added into applications without developers’ knowledge, cyber security experts said.
“XcodeGhost’s primary behaviour in infected iOS apps is to collect information on the devices and upload that data to command and control (C&C) servers. The malware has exposed a very interesting attack vector, targeting the compilers used to create legitimate Apps. This technique could be adopted to attack enterprise iOS apps or OS X apps in much more dangerous ways,” Palo Alto wrote.
It is unknown how the infected application made it past Apple’s strict reviewing process, or how many user might be affected. However, given the popularity of some of the apps, the infection could number somewhere in the millions.
This was the first major breach of Apple’s stringent review process for iOS apps, Palo Alto Networks noted. Previously, only five malware apps had been found in the App Store. The cybersecurity firm called the breach a “pretty big deal,” noting that the success of XcodeGhost may put developers in the hackers’ crosshairs.
Apple said that it had taken steps to address the problem and “removed the apps from the App Store that we know have been created with this counterfeit software.”
“We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps,” the company’s statement added.