iOS Malware XcodeGhost affecting Hong Kong
In the Sep-2015, a security researcher discovered iOS malware XcodeGhost in official Apple Store. Over hundred applications were affected, including "WeChat", "TTPod", "Di Di", "Hexin Financial" common application and "Angry Birds 2" famous game.
Xcode is an iOS application development kit. Besides the official Apple App Store, popular websites in China provide the download of Xcode. Some unofficial Xcode was injected malicious codes. When developers used the unofficial Xcode to build the iOS app, the app became infected. The infected apps can bypass the verification and be published in the Apple official App Store. This malware is called XcodeGhost.
If user download and install the infected XcodeGhost app from Apple official App Store, the malware will connect to the XcodeGhost predefined command and control server (C2 server) automatically. The information of apps and devices will be sent to the C2 server. The malware may also be able to open phishing dialog asking for account information.
Apple Official response
Apple officially announced, the infected app were under the removal process in the App Store. The affected apps' developers would update their apps and submit to the App Store again.
The infection of XcodeGhost in Hong Kong
Fig) The number of XcodeGhost infection in Hong Kong
The official made an immediate response to this accident, however, there is still a risk of data leakage if users does not remove or update the affected apps. HKCERT analyzed the data from the Shadowserver. We discovered that average 14,147 unique IPs per day still made connection to the C2 server of XcodeGhost in the first week of October. This figure is about 30 times of other botnets infection.
According to the data, the number of unique IP dropped nearly half, from 14,147 to 7,151, by the fourth week of October. We believe that Apple has stopped the spread of XcdoeGhost efficiently in official store, and the affected users got the update of fixed apps.
However, it is estimated that the iOS devices using those over seven thousand unique IP, are still at risk. HKCERT suggests that users should update iOS device and apps immediately. If your want to know more about the infected XcdoeGhost apps, please refer to the following website.
- XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps, Palo Alto Networks
- The XcodeGhost Plague – How Did It Happen?, Trend Mirco
- iOS Malware, XcodeGhost, Infects Millions Of Apple Store Customers, Symantec
- XcodeGhost S: A New Breed Hits the US, FireEye
- Xcode编译器里有鬼 – XcodeGhost样本分析, Wooyun