XcodeGhost

Last updated

XcodeGhost (and variant XcodeGhost S) are modified versions of Apple's Xcode development environment that are considered malware. [1] The software first gained widespread attention in September 2015, when a number of apps originating from China harbored the malicious code. [2] It was thought to be the "first large-scale attack on Apple's App Store", [3] according to the BBC. The problems were first identified by researchers at Alibaba, a leading e-commerce firm in China. [3] Over 4000 apps are infected, according to FireEye, far more than the 25 initially acknowledged by Apple, [4] including apps from authors outside China.

Contents

Security firm Palo Alto Networks surmised that because network speeds were slower in China, developers in the country looked for local copies of the Apple Xcode development environment, and encountered altered versions that had been posted on domestic web sites. This opened the door for the malware to be inserted into high profile apps used on iOS devices. [5] [6]

Even two months after the initial reports, security firm FireEye reported that hundreds of enterprises were still using infected apps and that XcodeGhost remained "a persistent security risk". [7] [8] The firm also identified a new variant of the malware and dubbed it XcodeGhost S; among the apps that were infected were the popular messaging app WeChat and a Netease app Music 163. [9]

Discovery

On September 16, 2015, a Chinese iOS developer mentioned [10] on the social network Sina Weibo that a malware in Xcode injects third party code into apps compiled with it.

Alibaba researchers then published [11] detailed information on the malware and called it XcodeGhost.

On September 17, 2015, Palo Alto Networks published several reports on the malware. [12] [13] [14] [15]

Operation

Propagation

Because of the slow download speed from Apple servers, Chinese iOS developers would download Xcode from third party websites, such as Baidu Yun (now called Baidu WangPan), a cloud storage service hosted by Baidu, or get copies from co-workers. Attackers took advantage of this situation by distributing compromised versions on such file hosting websites. [16]

Palo Alto Networks suspects that the malware was available in March 2015. [15]

Attack vector

Origins

Leaked document from Edward Snowden. "Strawhorse: Attacking the MacOS and iOS Software Development Kit". Strawhorse.png
Leaked document from Edward Snowden. "Strawhorse: Attacking the MacOS and iOS Software Development Kit".

The attacker used a compiler backdoor attack. The novelty of this attack is the modification of the Xcode compiler. According to documents leaked by Edward Snowden, CIA security researchers from Sandia National Laboratories claimed that they "had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool." [17]

Modified files

Known versions of XcodeGhost add extra files [12] to the original Xcode application:

  • Core service framework on iOS, iOS simulator and macOS platforms
  • IDEBundleInjection framework added on iOS, iOS simulator and macOS platforms

XcodeGhost also modified the linker to link the malicious files [15] into the compiled app. This step is reported on the compiling log but not on the Xcode IDE.

Both iOS and macOS apps are vulnerable to XcodeGhost.

Deployment

XcodeGhost compromised the CoreServices layer, which contains highly used features and frameworks used by the app. [18] When a developer compiles their application with a compromised version of Xcode, the malicious CoreServices are automatically integrated into the app without the developer's knowledge.

Then the malicious files will add extra code in UIWindow class and UIDevice class. The UIWindow class is "an object that manages and coordinates the views an app displays on a device screen". [19]

The UIDevice class provides a singleton instance representing the current device. From this instance the attacker can obtain information about the device such as assigned name, device model, and operating-system name and version. [20]

Behavior on infected devices

Remote control security risks

XcodeGhost can be remotely controlled via commands sent by an attacker from a Command and control server through HTTP. This data is encrypted using the DES algorithm in ECB mode. Not only is this encryption mode known to be weak, the encryption keys can also be found using reverse engineering. An attacker could perform a man in the middle attack and transmit fake HTTP traffic to the device (to open a dialog box or open specific app for example).

Stealing user device information

When the infected app is launched, either by using an iPhone or the simulator inside Xcode, XcodeGhost will automatically collect device information such as:

  • Current time
  • Current infected app's name
  • The app's bundle identifier
  • Current device's name and type
  • Current system's language and country
  • Current device's UUID
  • Network type

Then the malware will encrypt those data and send it to a command and control server. The server differs from version to version of XcodeGhost; Palo Alto Networks was able to find three server URLs:

  • http://init.crash-analytics.com
  • http://init.icloud-diagnostics.com
  • http://init.icloud-analysis.com

The last domain was also used in the iOS malware KeyRaider. [12]

Read and write from clipboard

XcodeGhost is also able, each time an infected app is launched, to store the data written in the iOS clipboard. The malware is also able to modify this data. This can be particularly dangerous if the user uses a password management app.

Hijack opening specific URLs

XcodeGhost is also able to open specific URLs when the infected app is launched. Since Apple iOS and macOS work with Inter-App Communication URL mechanism [21] (e.g. 'whatsapp://', 'Facebook://', 'iTunes://'), the attacker can open any apps installed on the compromised phone or computer, in the case of an infected macOS application. Such mechanism could be harmful with password management apps or even on phishing websites.

Prompting alert dialog

In its current known version XcodeGhost cannot prompt alert dialogs on the user device. [15] However, it only requires minor changes.

By using a UIAlertView class with the UIAlertViewStyleLoginAndPasswordInput property, the infected app can display a fake alert dialog box that looks like a normal Apple ID user credential check and send the input to the Command and control server.

Infected apps

Among all the Chinese apps, IMs app, banking apps, mobile carrier's app, maps, stock trading apps, SNS apps and games were infected. Popular apps used all over the world were also infected such as WeChat, a popular instant messaging app, CamScanner, an app to scan document using the smartphone camera or WinZip.

Pangu Team claimed that they counted 3,418 infected apps. [22]

Fox-it, a Netherland-based security company reports that they found thousand of malicious traffic outside China. [23] [24]

Removal

Neutralizing command and control servers and compromised versions of Xcode

Since the article of Alibaba and Palo Alto Networks, Amazon took down all the servers that were used by XcodeGhost. Baidu also removed all malicious Xcode installers from its cloud storage service.

Removing malicious apps from the App Store

On September 18, 2015 Apple admitted the existence of the malware and began asking all developers with compromised apps to compile their apps with a clean version of Xcode before submitting them for review again.

Pangu Team released a tool [25] to detect infected apps on a device, but like other antivirus apps, it will not run on a device that has not been jailbroken. Apple does not allow antivirus apps into the iOS App Store. [26]

Checking Xcode version

Apple advises Xcode developers to verify [27] [28] their version of Xcode and to always have Gatekeeper activated on their machine.

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Xcode</span> IDE including tools for developing software for Apple platforms

Xcode is Apple's integrated development environment (IDE) for macOS, used to develop software for macOS, iOS, iPadOS, watchOS, tvOS, and visionOS. It was initially released in late 2003; the latest stable release is version 16, released on September 16, 2024, and is available free of charge via the Mac App Store and the Apple Developer website. Registered developers can also download preview releases and prior versions of the suite through the Apple Developer website. Xcode includes command-line tools that enable UNIX-style development via the Terminal app in macOS. They can also be downloaded and installed without the GUI.

A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment. Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptosystems. From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information within autoschediastic networks.

Apple Developer is Apple Inc.'s website for software development tools, application programming interfaces (APIs), and technical resources. It contains resources to help software developers write software for the macOS, iOS, iPadOS, watchOS, tvOS and visionOS platforms.

In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading. The sandbox metaphor derives from the concept of a child's sandbox—a play area where kids can build, destroy, and experiment without causing any real-world damage. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as storage and memory scratch space. Network access, the ability to inspect the host system, or read from input devices are usually disallowed or heavily restricted.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

<span class="mw-page-title-main">App Store (Apple)</span> Mobile app distribution platform by Apple

The App Store is an app marketplace developed and maintained by Apple, for mobile apps on its iOS and iPadOS operating systems. The store allows users to browse and download approved apps developed within Apple's iOS SDK. Apps can be downloaded on the iPhone, iPod Touch, or iPad, and some can be transferred to the Apple Watch smartwatch or 4th-generation or newer Apple TVs as extensions of iPhone apps.

iOS jailbreaking is the use of a privilege escalation exploit to remove software restrictions imposed by Apple on devices running iOS and iOS-based operating systems. It is typically done through a series of kernel patches. A jailbroken device typically permits root access within the operating system and provides the right to install software unavailable through the App Store. Different devices and versions are exploited with a variety of tools. Apple views jailbreaking as a violation of the end-user license agreement and strongly cautions device owners not to try to achieve root access through the exploitation of vulnerabilities.

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

Submissions for mobile apps for iOS are subject to approval by Apple's App Review team, as outlined in the SDK agreement, for basic reliability testing and other analysis, before being published on the App Store. Applications may still be distributed ad hoc if they are rejected, by the author manually submitting a request to Apple to license the application to individual iPhones, although Apple may withdraw the ability for authors to do this at a later date.

WeChat or Weixin in Chinese ; lit. 'micro-message') is a Chinese instant messaging, social media, and mobile payment app developed by Tencent. First released in 2011, it became the world's largest standalone mobile app in 2018 with over 1 billion monthly active users. WeChat has been described as China's "app for everything" and a super-app because of its wide range of functions. WeChat provides text messaging, hold-to-talk voice messaging, broadcast (one-to-many) messaging, video conferencing, video games, mobile payment, sharing of photographs and videos and location sharing.

<span class="mw-page-title-main">Google Play</span> Digital distribution service by Google

Google Play, also known as the Google Play Store or Play Store and formerly known as Android Market, is a digital distribution service operated and it's developed by Google. It serves as the official app store for certified devices running on the Android operating system and its derivatives, as well as ChromeOS, allowing users to browse and download applications developed with the Android software development kit and published through Google. Google Play has also served as a digital media store, offering games, music, books, movies, and television programs. Content that has been purchased on Google Play Movies & TV and Google Play Books can be accessed on a web browser and through the Android and iOS apps.

The Pangu Team, is a Chinese programming team in the iOS community that developed the Pangu jailbreaking tools. These are tools that assist users in bypassing device restrictions and enabling root access to the iOS operating system. This permits the user to install applications and customizations typically unavailable through the official iOS App Store.

WireLurker is a family of malware targeting both macOS and iOS systems. The malware was designed to target users in China that use Apple mobile and desktop devices. The malware was suspected of infecting thousands of Chinese mobile devices. The security firm Palo Alto Networks is credited with uncovering the malware.

XARA is an acronym for "Unauthorized Cross-App Resource Access", which describes a category of zero-day vulnerabilities in computer software systems.

Brain Test was a piece of malware masquerading as an Android app that tested the users IQ. Brain Test was discovered by security firm Check Point and was available in the Google Play app store until 15 September 2015. Check Point described Brain Test as "A new level of sophistication in malware".

<span class="mw-page-title-main">KeRanger</span> MacOS ransomware

KeRanger is a ransomware trojan horse targeting computers running macOS. Discovered on March 4, 2016, by Palo Alto Networks, it affected more than 7,000 Mac users.

HummingBad is Android malware, discovered by Check Point in February 2016.

<span class="mw-page-title-main">AdGuard</span> Ad blocking and privacy protection software

AdGuard is an ad blocking service for Microsoft Windows, Linux, MacOS, Android and iOS. AdGuard is also available as a browser extension.

<span class="mw-page-title-main">CamScanner</span> Mobile scanner app

CamScanner is a Chinese mobile app first released in 2011 that allows iOS and Android devices to be used as image scanners. It allows users to 'scan' documents and share the photo as either a JPEG or PDF. This app is available free of charge on the Google Play Store and the Apple App Store. The app is based on freemium model, with ad-supported free version and a premium version with additional functions.

References

  1. Dan Goodin (September 21, 2015). "Apple scrambles after 40 malicious "XcodeGhost" apps haunt App Store". Ars Technica. Retrieved 2015-11-05.
  2. Joe Rossignol (September 20, 2015). "What You Need to Know About iOS Malware XcodeGhost". macrumors.com. Retrieved 2015-11-05.
  3. 1 2 "Apple's App Store infected with XcodeGhost malware in China". BBC News. 2015-09-21. Retrieved 2016-09-22.
  4. "Protecting Our Customers from XcodeGhost". FireEye. Retrieved 9 November 2021.
  5. Byford, Sam (September 20, 2015). "Apple removes malware-infected App Store apps after major security breach". The Verge. Retrieved 2015-11-05.
  6. James Temperton (September 21, 2015). "Apple App Store hack: XcodeGhost attack strikes China (Wired UK)". Wired UK. Retrieved 2015-11-05.
  7. Kirk, Jeremy (November 4, 2015). "Many US enterprises still running XcodeGhost-infected Apple apps, FireEye says". InfoWorld. Retrieved 2015-11-05.
  8. Ben Lovejoy (November 4, 2015). "A modified version of XcodeGhost remains a threat as compromised apps found in 210 enterprises". 9to5Mac. Retrieved 2015-11-05.
  9. Yong Kang; Zhaofeng Chen; Raymond Wei (3 November 2015). "XcodeGhost S: A New Breed Hits the US". FireEye. Retrieved 2015-11-05. XcodeGhost S: A New Breed Hits the US
  10. "First mention of XcodeGhost on SinaWeibo". Sina Weibo. September 17, 2015. Retrieved 2015-11-11.
  11. "Xcode编译器里有鬼 – XcodeGhost样本分析-安全漏洞-安全研究-阿里聚安全". jaq.alibaba.com. Archived from the original on 2016-04-19. Retrieved 2015-11-11.
  12. 1 2 3 Claud Xiao (September 17, 2015). "Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store - Palo Alto Networks Blog". Palo Alto Networks Blog. Retrieved 2015-11-11.
  13. Claud Xiao (September 18, 2015). "Malware XcodeGhost Infects 39 iOS Apps, Including WeChat, Affecting Hundreds of Millions of Users - Palo Alto Networks Blog". Palo Alto Networks Blog. Retrieved 2015-11-11.
  14. Claud Xiao (September 18, 2015). "Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps - Palo Alto Networks Blog". Palo Alto Networks Blog. Retrieved 2015-11-11.
  15. 1 2 3 4 Claud Xiao (September 21, 2015). "More Details on the XcodeGhost Malware and Affected iOS Apps - Palo Alto Networks Blog". Palo Alto Networks Blog. Retrieved 2015-11-11.
  16. Thomas Fox-Brewster (September 18, 2015). "Hackers Sneak Malware Into Apple App Store 'To Steal iCloud Passwords'". Forbes. Retrieved 2015-11-11.
  17. Jeremy Scahill; Josh Begley (March 10, 2015). "The CIA Campaign to Steal Apple's Secrets". The Intercept. Retrieved 2015-11-11.
  18. "Core Services Layer". developer.apple.com. Retrieved 2015-11-11.
  19. "UIWindow Class Reference". developer.apple.com. Retrieved 2015-11-11.
  20. "UIDevice Class Reference". developer.apple.com. Retrieved 2015-11-11.
  21. "Inter-App Communication". developer.apple.com. Retrieved 2015-11-11.
  22. "Pangu Team on Weibo". September 21, 2015. Retrieved 2015-11-11.
  23. "Combined research Fox-IT and Palo Alto Networks revealed popular apps infected with malware". Fox-it. September 18, 2015. Archived from the original on 2016-08-12. Retrieved 2015-11-11.
  24. Thomas, Brewster (Sep 18, 2015). "Hackers Sneak Malware Into Apple App Store 'To Steal iCloud Passwords'". Forbes . Archived from the original on Nov 25, 2016.
  25. "Xcode病毒检测, XcodeGhost病毒检测 - 盘古越狱". x.pangu.io. Retrieved 2015-11-11.
  26. Haslam, Karen. "Why the iOS app XcodeGhost exploit shouldn't concern you". Macworld UK. Retrieved 2017-09-24.
  27. "有关 XcodeGhost 的问题和解答". Apple. Archived from the original on November 14, 2015. Retrieved June 17, 2016.
  28. "Validating Your Version of Xcode - News and Updates - Apple Developer". developer.apple.com. Retrieved 2015-11-11.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.