Apple App Store hit by malware swarm

Fake Xcode used by dozens of developers puts users at risk

Apple has suffered what is thought to be the biggest targeted attack on its systems ever, after dozens of App Store Apps were found to be infected with malware.

Dubbed XcodeGhost, the attack has affected at least 39 apps according to security firm Palo Alto networks, which performed an initial analysis of the vulnerability.

Using the infected apps, the attackers behind the malware are able to phish users' passwords and other login credentials by prompting a fake alert dialogue, hijack opening specific urls, which Palo Alto said "could allow for exploitation of vulnerabilities in the iOS system or other iOS apps", and read and write data in the user's clipboard.

This last function allows the malware to bypass the protections of password management apps like 1Password and LastPass.

"When people use apps like 1Password to manage their passwords in iOS, they often open 1Password, copy the stored password to system clipboard, then open the app they want to use and paste the password to the login window. At this moment, a malicious app can directly read the password from system clipboard," said Palo Alto researcher Claud Xiao in a blog post.

"1Password's main security design for this situation is that, the password stored in the clipboard will only stay there for a very short time. However, since the malware can read it when the app launches, the attack can be successful," Xiao explained

Finally, the malware also uploads device information to their command and control servers.

Who is affected and how did it happen?

The vast majority of the infected apps come from Chinese developers who are selling to the Chinese market. Therefore, while Palo Alto speculated hundreds of millions of people may be affected, they will almost all be in China.

Apple's closed-loop ecosystem has traditionally meant iOS and OSX are two of the safer operating systems when it comes to malware. However, in China slow internet connections mean that downloading the legitimate version of Xcode - Apple's integrated development environment for iOS and OSX apps - is just too slow. Therefore, some developers in the country have turned to third-party downloads, however these were infected with the XcodeGhost malware, which went undetected because they had disabled Apple's Gatekeeper security system on their Macs, which flags threats to try and prevent this kind of issue from happening.

The XcodeGhost malware was subsequently passed on through the apps they developed to iPhone and iPad users.

"This demonstrates that adversaries can circumvent the walled gardens of app stores through the use of tainted development tools," Don Smith, director of technology at Dell SecureWorks, told IT Pro. "Mobile apps today can be thought of as Lego models and developers don't always take the right precautions to secure the individual bricks."

What is being done by Apple and what should I do?

Apple has already removed the malevolent apps from the App Store. In a statement, the company said: "Apple takes security very seriously and iOS is designed to be reliable and secure from the moment you turn on your device. We offer developers the industry's most advanced tools to create great apps."

"A fake version of one of these tools was posted by untrusted sources which may compromise user security from apps that are created with this counterfeit tool. To protect our customers, we've removed the apps from the App Store that we know have been created with this counterfeit software and we are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps."

A list of all 39 infected apps has been published by Xiao, however at the time of writing the research section of Palo Alto's website is down. MacRumours has, however, kindly republished the list, which can be found here.

Users who have any of the apps listed on their iPhone or iPad should delete them immediately and, as a precautionary measure, change all the passwords they have used on the device. As XcodeGhost only affects Xcode 6.1 and Xcode 6.4, developers should upgrade to Xcode 7 or Xcode 7.1 beta - ensuring they are downloading from the official Apple website, of course.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Apple unveils iPhone 13, new iPad, and iPad mini
Mobile

Apple unveils iPhone 13, new iPad, and iPad mini

14 Sep 2021
Apple fires employee who alleged workplace sexism for 'leaking confidential data'
Careers & training

Apple fires employee who alleged workplace sexism for 'leaking confidential data'

10 Sep 2021
Apple confirms iPhone 13 launch event for 14 September
Mobile Phones

Apple confirms iPhone 13 launch event for 14 September

8 Sep 2021
What Apple's Epic battle could mean for the app business
Business strategy

What Apple's Epic battle could mean for the app business

8 Sep 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021