XcodeGhost – looks still a threat for US based Apple apps users after several steps taken

Two months back, Chinese developers had discovered and disclosed the existence of an iOS malware by the name XcodeGhost. Details of the same were revealed by the developers on the microblogging site Sina Weibo. Let’s have a look at what this security threat is all about, and what all it affects. It is very important for all the developers to know about this ghost, so that they can develop apps in a way that they don’t get affected by it.

XcodeGhost: An Introduction

The malicious version of Xcode has given rise to the malware known as Xcode Ghost. Xcode is basically used to develop apps for both iOS and Mac OS X i.e. for all Apple devices. The existence of this ghost was first revealed in September 2015, when a large number of apps that were uploaded to the iTunes App store by Chinese developers caught some malicious code. This was the first of its kind large scale attack that Apple store had faced since its inception. A lot of developers in China were looking to ape Xcode development environment, to beat the slow network speeds experienced here. This altered version led to the malicious attack, which resulted in the malware being inserted in the top-notch & high profile Apple store apps.

Even now, after two months of the attack, many apps are still at risk from this malware. In fact, a lot of enterprises’ apps have been infected by this malware. It has been seen that a new variant of this ghost has also cropped up, which is now referred to as XcodeGhost S. This new variant has been observed in popular apps like Wechat and Netease, which are now at security risk.

The Risk Continues

The risk began when the malicious version of Xcode, now referred to as XcodeGhost was uploaded to the cloud file sharing service Baidu, and eventually downloaded by iOS developers in China for Apple Apps Development. This IDE was used by the developers, who were unaware of the malware. These infected apps were then loaded to the app store, and they somehow managed to pass the code review process set by Apple. This massive attack caused close to 50 apps to be infected by the malware, which in turn affected 500 Mn iOS users.

It puts the iOS device at risk. Let’s understand how. When an iOS app is infected with XcodeGhost, these apps can collect information on the device, encrypt it and upload it to the command and control servers. These servers are run by the attackers and use simple HTTP protocol. Some of the information that is collected are time, app’s name, the app bundle identifier, device name and type along with the language and country, UUID for the device and the network type used in the country.  These infected apps can receive commands from the attacker using the C2 server and perform the certain arbitrary functions like prompt a fake alert, or hijack certain URL, or even capture the password from the password management tool.

Several developers are currently working with Apple to remove this malware from the root. Currently, Apple is taking the first step to remove the malware from its store and progressing towards secure application development. It is on the row to remove those apps that have been infected by this malware first. The second step would be to make the developers of the app to remove the malware and re-develop them in a way suited for Apple store. Once, a proper version of the apps is ready, it will be uploaded to the store again! While, Apple is making efforts to remove the code from the store, let’s see how developers can protect their apps against this malware.

Avoiding this Situation

Apple has already started taking steps to remove the malware from its store. It is also important for enterprises to check if their systems are secure. Search the installed apps, and see if they meet the criteria for infected apps. Ask the end user to update or remove the apps from their devices, in case they meet the criteria.

Before developing an app for the Apple store, check if your developers are using the official version of Xcode. Remove the hacked or blocked versions, and reinstall the official version. Use Casper Suite to keep a check on the vulnerabilities in the devices. Install patches or update them at periodic intervals.

It is important for the new developer to keep a check on the malware and conquer the quest against them before indulging in iOS Application Development.