The XcodeGhost attack against the App Store

Date : September 08, 2015

In September Palo Alto Networks has discovered XcodeGhost, a threat against iOS apps, and has thus revealed that for the first time, the App Store was victim of a large scale hacking.

The compromising method

Hackers have indeed found a way to bypass the difficulty to infect iOS applications by addressing Xcode, the programming environment for iOS and Mac OS-X.

Because Internet speeds in China are slow, developers are much more likely to quickly download Xcode (whose size exceeds three gigabytes) from untrusted local sites, or to exchange it.

A malicious person has released a crafted XCode version which generates infected authenticated applications.

The impact

Since many companies are developing their applications in low cost countries, many authenticated infected applications, have been put into the App Store.

The number of applications varies widely depending on the source: 25 for Apple to more than 4,000 for FireEye.
The popular applications WeChat, PDF Reader, WinZip, Pocket Scanner, CamCard have been compromised.

According to Palo Alto, the discoverer, iOS applications infected with XcodeGhost collect system and application information on the devices. Then they encrypt and upload that data, through the HTTP protocol, to command and control (C2) servers.

The actions to stop the attack and reduce the risk

Apple responds by:

  • Cleaning the App Store.
  • Installing a local server in China to reduce the Xcode download time.
  • Working closely with developers to ensure that they use an official Xcode version.

Baidu has removed all malicious Xcode installers from its cloud file sharing service.

CC servers have been disconnected.

We strongly recommend you to regularly check the Apple information page on the impacted applications to see if any of your applications has been infected, and if Apple offers a fixed version of this apllication.
Connections attempts to CC server (see article by Palo Alto) may be a way to detect an infected application.

Conclusions

This attack is notable for two reasons:

  • This is the first large attack against the App Store,
  • The App Store has been attacked indirectly by targeting developers.

Apple now knows that developers are a privileged target for attackers who want to get into the App Store, and will take this into account in its security policy.

The different actions which have been done (removal of the most popular impacted applications, CC servers shutdown, malicious versions of Xcode eradication) have greatly reduced the threat of this attack.
However it is likely that many App Store applications are still infected, and that this attack is not entirely stopped.

For more information:

Previous Previous Next Next Print Print