HKCert
Security Blog

iOS Malware XcodeGhost affecting Hong Kong

Release Date: 17 / 11 / 2015
Last Update: 01 / 06 / 2016

In the Sep-2015, a security researcher discovered iOS malware XcodeGhost in official Apple Store. Over hundred applications were affected, including "WeChat", "TTPod", "Di Di", "Hexin Financial" common application and "Angry Birds 2" famous game.
 

Infection Vector


Xcode is an iOS application development kit. Besides the official Apple App Store, popular websites in China provide the download of Xcode. Some unofficial Xcode was injected malicious codes. When developers used the unofficial Xcode to build the iOS app, the app became infected. The infected apps can bypass the verification and be published in the Apple official App Store. This malware is called XcodeGhost.
 

Malicious behaviours


If user download and install the infected XcodeGhost app from Apple official App Store, the malware will connect to the XcodeGhost predefined command and control server (C2 server) automatically. The information of apps and devices will be sent to the C2 server. The malware may also be able to open phishing dialog asking for account information.
 

Apple Official response


Apple officially announced, the infected app were under the removal process in the App Store. The affected apps' developers would update their apps and submit to the App Store again.
 

The infection of XcodeGhost in Hong Kong

 

Fig) The number of XcodeGhost infection in Hong Kong

The official made an immediate response to this accident, however, there is still a risk of data leakage if users does not remove or update the affected apps. HKCERT analyzed the data from the Shadowserver. We discovered that average 14,147 unique IPs per day still made  connection to the C2 server of XcodeGhost in the first week of October. This figure is about 30 times of other botnets infection.

According to the data, the number of unique IP dropped nearly half, from 14,147 to 7,151, by the fourth week of October. We believe that Apple has stopped the spread of XcdoeGhost efficiently in official store, and the affected users got the update of fixed apps.

However, it is estimated that the iOS devices using those over seven thousand unique IP, are still at risk. HKCERT suggests that users should update iOS device and apps immediately. If your want to know more about the infected XcdoeGhost apps, please refer to the following website.

https://blog.lookout.com/blog/2015/09/21/xcodeghost-apps/
 

 

Reference: