LONDON -- Apple's App Store has its first malware problem hitting iPhones and iPads around the world. That the malicious code is coming from China will no doubt add another layer of intrigue when Chinese President Xi Jinping meets executives from many of the biggest technology companies, including Apple, in Seattle on Tuesday.
The App Store has been called the foremost security innovation of the past decade and is seen as the gold standard in securing the hundreds of millions of people around the world who use iPhones and iPads. That is why news that Apple admitted it removed malicious apps from the App Store after they were published is so significant.
Many headlines breathlessly claim that hundreds of millions of users are at risk, but what is the real impact of the malware dubbed XcodeGhost, and what does it mean for iPhone and iPad users?
What Is XcodeGhost?
XcodeGhost is a piece of malware intended to infect Xcode, which is software used to develop apps for iPhones and iPads. Using this infected software, developers inadvertently infect their apps and these are then published on the App Store -- thus circumventing Apple’s typically robust review process.
What Is Xcode?
Xcode is a suite of development tools distributed by Apple to developers for free to let them create apps for both iOS and the App Store.
The problem does not lie in Apple’s official version of Xcode but with an unofficial version uploaded to the cloud storage service of Baidu (the Chinese Google) and downloaded by multiple developers. A search for Xcode 6.4 download on Baidu shows four unofficial versions listed ahead of Apple’s version.
That Sounds Like A Big Problem For Apple.
It is, as it allows apps infected with malware to bypass the review process, though exactly why the malware-infected apps were not flagged is not yet clear. The problem also extends to enterprise apps, which are developed in-house by businesses and distributed outside of the App Store.
It should be noted that Apple has a security system in place on its Mac computers to prevent these malicious pieces of software being used. Called Gatekeeper, the system would need to be manually disabled by developers in order to run the malicious version of Xcode. That said, if developers are willing to go to such lengths to get a piece of software that's free, it is clearly something Apple needs to address.
Why Do Chinese Developers Not Download Direct From Apple?
For two reasons. The first is that China’s Internet is pretty slow, with Akamai listing the country 84th in terms of download speeds globally. The second reason is that Xi’s government limits access to foreign servers to just three gateways, meaning downloading Apple’s official version of Xcode (which is 3.59GB in size) can take a prohibitively long time.
What Can The XcodeGhost Malware Do?
According to security researcher Xavier Mertens, the malicious apps can be used to send the following information from your iPhone or iPad to the command-and-control servers used by those spreading the malware:
- Application name
- Application version
- OS version
- Developer info
- Application installation type
- Device name
- Device type
On the face of it, this information doesn’t appear to be hugely sensitive, but it could be used by criminals to mount a social engineering campaign against victims to gain even greater access.
Where Is This Attack Coming From?
So far the vast majority of malicious apps compiled by infected versions of Xcode are coming from China, with most of the apps aimed at iPhone and iPad users in that country.
Are iPhone and iPad Users Outside China Safe?
No. Versions of some highly popular apps among users around the world have also been infected. The messaging app WeChat (which has more than 600 millions users globally) has been affected, as have a version of popular game Angry Birds 2 and CamCard, the No. 1 business card scanner app in the U.S.
How Many Apps Have Been Infected?
This is unclear. Initially Palo Alto Networks, the security company that was among the first to report the problem, listed 39 apps that were affected. Since then Dutch security company Fox-IT has identified a further 56 apps it says are affected, while Chinese security company Qihoo360 Technology Co. says that more than 340 infected apps were published on the App Store.
While Apple said it has removed apps from the App Store, it has not revealed how many.
What Else Has Apple Said?
In an emailed statement, Apple told International Business Times:
Apple takes security very seriously and iOS is designed to be reliable and secure from the moment you turn on your device. We offer developers the industry’s most advanced tools to create great apps. A fake version of one of these tools was posted by untrusted sources which may compromise user security from apps that are created with this counterfeit tool. To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software and we are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.
Does This Represent A Major Breach Of App Store Security?
Without a doubt. While Apple will claim (with some justification) that the fault lies with the developers who downloaded a fake version of Xcode and disabled Gatekeeper, the simple fact is that dozens, if not hundreds, of apps got past App Store security measures and put iPhone and iPad users at risk.
In the past we have seen malware appear on the App Store, but XcodeGhost represents the most successful, widespread and significant breach to date, and only a full investigation will tell if user data has been compromised. A further worry is that XcodeGhost shows that trojanizing an app is an effective way of getting malware into the App Store and we could see a lot more criminals looking to exploit similar vulnerabilities.
What Should iPhone And iPad Users Do?
If you own an iPhone or iPad and fear that you have downloaded some of these malicious apps, then you should either uninstall them or update them to the latest versions through the App Store. Merterns has listed the following checks to carry out if you want to check if your iPhone/iPad is infected:
- Check for HTTP traffic to http://init.icloud-analysis.com in your firewalls or proxies logs.
- Check for traffic to these IP addresses.
- Remove the apps listed as malicious.
- Change passwords on websites used by the malicious applications.