Apple App Store hit by malware swarm

Apple logo unsecure

Apple has suffered what is thought to be the biggest targeted attack on its systems ever, after dozens of App Store Apps were found to be infected with malware.

Dubbed XcodeGhost, the attack has affected at least 39 apps according to security firm Palo Alto networks, which performed an initial analysis of the vulnerability.

Using the infected apps, the attackers behind the malware are able to phish users' passwords and other login credentials by prompting a fake alert dialogue, hijack opening specific urls, which Palo Alto said "could allow for exploitation of vulnerabilities in the iOS system or other iOS apps", and read and write data in the user's clipboard.

This last function allows the malware to bypass the protections of password management apps like 1Password and LastPass.

"When people use apps like 1Password to manage their passwords in iOS, they often open 1Password, copy the stored password to system clipboard, then open the app they want to use and paste the password to the login window. At this moment, a malicious app can directly read the password from system clipboard," said Palo Alto researcher Claud Xiao in a blog post.

"1Password's main security design for this situation is that, the password stored in the clipboard will only stay there for a very short time. However, since the malware can read it when the app launches, the attack can be successful," Xiao explained

Finally, the malware also uploads device information to their command and control servers.

Who is affected and how did it happen?

The vast majority of the infected apps come from Chinese developers who are selling to the Chinese market. Therefore, while Palo Alto speculated hundreds of millions of people may be affected, they will almost all be in China.

Apple's closed-loop ecosystem has traditionally meant iOS and OSX are two of the safer operating systems when it comes to malware. However, in China slow internet connections mean that downloading the legitimate version of Xcode - Apple's integrated development environment for iOS and OSX apps - is just too slow. Therefore, some developers in the country have turned to third-party downloads, however these were infected with the XcodeGhost malware, which went undetected because they had disabled Apple's Gatekeeper security system on their Macs, which flags threats to try and prevent this kind of issue from happening.

The XcodeGhost malware was subsequently passed on through the apps they developed to iPhone and iPad users.

"This demonstrates that adversaries can circumvent the walled gardens of app stores through the use of tainted development tools," Don Smith, director of technology at Dell SecureWorks, told IT Pro. "Mobile apps today can be thought of as Lego models and developers don't always take the right precautions to secure the individual bricks."

What is being done by Apple and what should I do?

Apple has already removed the malevolent apps from the App Store. In a statement, the company said: "Apple takes security very seriously and iOS is designed to be reliable and secure from the moment you turn on your device. We offer developers the industry's most advanced tools to create great apps."

"A fake version of one of these tools was posted by untrusted sources which may compromise user security from apps that are created with this counterfeit tool. To protect our customers, we've removed the apps from the App Store that we know have been created with this counterfeit software and we are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps."

A list of all 39 infected apps has been published by Xiao, however at the time of writing the research section of Palo Alto's website is down. MacRumours has, however, kindly republished the list, which can be found here.

Users who have any of the apps listed on their iPhone or iPad should delete them immediately and, as a precautionary measure, change all the passwords they have used on the device. As XcodeGhost only affects Xcode 6.1 and Xcode 6.4, developers should upgrade to Xcode 7 or Xcode 7.1 beta - ensuring they are downloading from the official Apple website, of course.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.