As Apple looks to finalise it’s clean-up of its iOS App Store to remove malware that has infected numerous iPhone and iPad programmes. The malware, dubbed XcodeGhost, was discovered by several cyber security companies which found it embedded in hundreds of legitimate apps. Stephen Coty, chief security evangelist at Alert Logic takes a deeper look at the issue and says”
“Brilliant find, and great analysis, from the team at Palo Alto Networks. XcodeGhost is the first code compiler malware to affect Apple’s Application Store’s infrastructure. The malicious code is located in the Mach-O object file that was packaged with some versions of the Xcode installer. First question is what is Xcode? Xcode is an integrated development environment (IDE) containing development tools developed by Apple for use by Apple and third party developers to build applications for OS X and iOS. Xcode is downloaded directly from Apple at no charge to people who want to write applications for the store. Due to bandwidth and convenience, some developers will download the toolkit from file sharing sites like Baidu Yunnan, which hosted code that had a few extra lines than the same version downloaded from the actual Apple store.
Its quite brilliant of the attackers to think of maliciously infecting the development toolkits that are being used to build the applications for the Apple store. For years malicious actors have been attempting to penetrate the Apple app store unsuccessfully, but now they have. Using the Mach-O file layout, they can utilise the multi-architecture binaries that allow the application file to launch multiple programs in the background while installing the primary application.
This give an attacker several options of malicious code that can accompany the intended application for your iOS device. Although this attack seemed to be focused in Asia, this same type of attack vector can be used throughout other stores. This could lead to dozens of applications being developed by trusted developers that had malicious code installed and distributed in all their packages that they build on the Xcode tool base.
Interesting that they used domains like these as part of their command and control (C&C) infrastructure:
Makes you think that, besides the actual malicious code loaded on the devices, they had to conduct some type of DNS hijacking or local IP tables that redirected the traffic to the actual malicious IP addresses made under the above domains. That is based on the thought that Apple does use the above domains to fulfil services they offer. According to a the researchers that wrote the report, there are currently about 39 applications that are available on the Chinese Apple application store that are deemed malicious. So far I have not heard of any detected malicious apps in the US or EU instance of the application store.”