Apple Targeted as Malware Infects China Mobile Apps

The Wall Street Journal ^ | Sept. 20, 2015 8:18 p.m. ET | By JOSH CHIN

[Swordmaker]

WeChat, Didi Kuaidi among dozens hit; breach of iOS platform is called unusual

A number of popular Chinese mobile apps, including Tencent’s WeChat,
were infected with malware by hackers targeting Apple’s iOS mobile platform.

A number of populwith malware by hackers targeting Apple’s iOS mobile platform.

BEIJING—Some of the most popular Chinese names in Apple Inc.’s App Store were found to be infected with malicious software in what is being described as a first-of-its-kind security breach, exposing a rare vulnerability in Apple’s mobile platform, according to multiple researchers.

The applications were infected after software developers were lured into using an unauthorized and compromised version of Apple’s developer tool kit, according to researchers at Alibaba Mobile Security, a mobile antivirus division of Alibaba Group Holding Ltd.

The list of recently compromised iPhone and iPad apps includes Tencent Holdings Ltd.’s popular mobile chat app WeChat, Uber-like car-hailing app Didi Kuaidi, and a Spotify-like music app from Internet portal NetEase Inc.

The attack affected more than three dozen apps, according to U.S.-based cybersecurity firm Palo Alto Networks Inc.

The infected apps can transmit information about a user’s device, prompt fake alerts that could be used to steal passwords to Apple’s iCloud service, and read and write information on the user’s clipboard, according to researchers.

Apple said in a late Sunday statement that it had taken steps to address the problem. “To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software and we are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps,” the statement said.

[Swordmaker]

Note this was a very rare attack that affected only the Apple App Store ONLY in China. It was caused by convincing some Chinese developers to download Apple XTools not from Apple but from an untrusted third-party source that had added extra lines of code to the tools used to build Apps.

The Apps were designed by the malicious XTools to add code that would get by Apple's stringent Curation by only adding things that would not be severe enough to majorly compromise device security.

This article claims that they were capable of creating requestors that might compromise AppleIDs, but that is not the case, as those are things that Curation is designed to catch.

They were however capable of reading and writing to the clipboard. Apple has already removed all apps developed with the malicious XTools and is helping the developers who used them to modify their apps that were made with them with appropriate Apple only XTools.

This effected ONLY apps sold on the Chinese Apple App store and no other.

[Swordmaker]

Apple's Chinese App Store hit by some infected malware created by malicious XTools which developers were persuaded to download from non-Apple third-partly suppliers. Apple has removed all offending infected apps from the Chinese Apple App Store and is working with the developers to repair their infected apps. Some of the most popular Apps on the Chinese App Store were involved. The malicious XTools added code to the apps that harvested device information, could read and write user clipboards, but contrary to this article could not steal AppleID information (that would have triggered curation flags). The Fake XTools have been dubbed XCodeGhost.

Only one app that was developed and uploaded internationally is "WeChat." If you have downloaded it, check your version. WeChat version 6.2.6 is NOT infected with the XCodeGhost malware and is OK to keep. If you have any other version, delete it and download the latest updated version.

Affected apps included versions of WeChat, a very popular messaging app in China. One Chinese security firm said it found 344 apps infected by XcodeGhost but Apple declined to confirm the number. Apps built with XcodeGhost will secretly send device information back to the hackers as well as initiate phishing attacks for more sensitive user credentials.

— PING!

Apple iOS Security
Ping!

The Latest Apple/Mac/iOS Pings can be found by searching Keyword “ApplePingList” on Freerepublic’s Search.

If you want on or off the Mac Ping List, Freepmail me.

[Swordmaker]

Here's more information on what happened:

It is unusual for malware to spread through Apple’s App Store, which typically subjects apps to stringent reviews. In a blog post Thursday, Palo Alto Networks said the attack was the first of its type directed at Apple’s iOS mobile operating system. Chinese anticensorship activist group Greatfire.org called it “the most widespread and significant spread of malware” in the app store’s history.

. . .

The hack exploited Chinese developers’ impatience, according to Palo Alto Networks. To write apps for Apple devices, developers have to use a tool kit called Xcode, but downloading the official version from Apple’s website can take a long time in China.

The hackers posted their infected version on a Chinese server, advertising faster downloads, the researchers said. Any app created or altered using the bogus Xcode would then become infected with the malware, they said.

The infected Xcode was hosted on Baidu Pan, a cloud service offered by Chinese search company Baidu Inc., said multiple security researchers.

Baidu Pan removed the sabotaged XTools files as soon as they were notified of their malicious nature.

[ctdonath2]

To clarify for the inevitable trolls:

“The hackers embedded the malicious code in these apps by convincing developers of legitimate software to use a tainted, counterfeit version of Apple’s software for creating iOS and Mac apps, which is known as Xcode, Apple said.”

Don’t use the tools designed to keep you safe, and use tools from scam artists instead (when the proper tools are free even!), don’t be surprised if you get taken by a con.

[ctdonath2]

Note too that the scam was detected, the loophole closed, and the affected software removed in a very few days.

[Swordmaker]

Note too that the scam was detected, the loophole closed, and the affected software removed in a very few days.

What I note is that many of the websites and news agencies reporting this are omitting the part of the story that it is primarily only the Chinese Apple App Store that is at all affected. The US store has had one, count'em, one app involved. In two of the stories I had to read more than two-thirds of the way through them before before I learned the problem really only existed in China. The headlines strongly imply it is the Apple App Store in this country.

[BenLurkin]

bttt

[Unrepentant VN Vet]

Gee, you’d almost think that the media is as full of crap when “reporting” business news as they are, say, when they “report” something political or maybe the latest Unemployment statistics.

(Do I really need the /sarc????)

[Swordmaker]

Gee, you’d almost think that the media is as full of crap when “reporting” business news as they are, say, when they “report” something political or maybe the latest Unemployment statistics.

Nope, it's the Main Stream Media, tech division.

[dila813]

Maybe they can make it more secure by having the dev kit sign the app before submission.

[conservatism_IS_compassion]

Maybe they can make it more secure by having the dev kit sign the app before submission.

. . . possibly by, somehow, documenting the size of the file in the dev kit?

[conservatism_IS_compassion]

What I note is that many of the websites and news agencies reporting this are omitting the part of the story that it is primarily only the Chinese Apple App Store that is at all affected. The US store has had one, count'em, one app involved. In two of the stories I had to read more than two-thirds of the way through them before before I learned the problem really only existed in China. The headlines strongly imply it is the Apple App Store in this country.

Gee, you’d almost think that the media is as full of crap when “reporting” business news as they are, say, when they “report” something political or maybe the latest Unemployment statistics.

Journalism is entertainment.

Journalists flatter their readers that they are interested in what is important, and flatter themselves that they provide it. The reality is quite different; the rules of journalism:

• If it bleeds, it leads

• ”Man Bites Dog” not “Dog Bites Man”

• There’s nothing more worthless than yesterday’s newspaper

are entertainment rules, not substance rules.

In the Founding Era, most newspapers were weeklies, but there were newspapers which had no deadlines at all but went to press when the printer was good and ready (like a FReeper posting something to FR, actually).

Clearly, when you think about it, only talking when you actually think you have something to say - rather than because it is Monday, and almost 10:30 AM EST - is a much more substance-driven approach. Why should I post something against a deadline??? Ridiculous to think of a FReeper doing that!

[Swordmaker]

The list of infected Chinese Apps from 9 to 5 Mac:

After yesterday’s revelation that hundreds of iOS apps on the App Store had been infected by malware, security company Palo Alto Networks has posted a list of some of the affected apps – which include Angry Birds 2.

The apps were infected by a fake copy of Xcode dubbed XcodeGhost, unwittingly downloaded by Chinese developers in place of the real thing. It’s believed they downloaded the fake from local servers because it took too long to download the original from Apple’s own servers. It’s not yet known why Apple’s own checks did not detect the malware when apps were submitted to the App Store.

It’s been suggested that over 300 apps are infected, with 31 of them so far identified (list below) … 

• Angry Birds 2
• CamCard
• CamScanner
• Card Safe
• China Unicom Mobile Office
• CITIC Bank move card space
• Didi Chuxing developed by Uber’s biggest rival in China Didi Kuaidi
• Eyes Wide
• Flush
• Freedom Battle
• High German map
• Himalayan
• Hot stock market
• I called MT
• I called MT 2
• IFlyTek input
• Jane book
• Lazy weekend
• Lifesmart
• Mara Mara
• Marital bed
• Medicine to force
• Micro Channel
• Microblogging camera
• NetEase
• OPlayer
• Pocket billing
• Poor tour
• Quick asked the doctor
• Railway 12306 the only official app used for buying train tickets in China
• SegmentFault
• Stocks open class
• Telephone attribution assistant
• The driver drops
• The Kitchen
• Three new board
• Watercress reading
• WeChat

Although it’s unclear whether U.S. and European app stores have been affected, the safest course if you have any of the apps installed is to delete them and then download again from the App Store as and when available. Apple says that it has removed all the infected versions and is working with developers to get clean versions uploaded in their place.

Update 1: The list of apps has now been updated with apps identified by Dutch security company Fox-IT. The company is reporting seeing malware traffic from the apps in Europe.

Update 2: Rovio has advised that only the version of Angry Birds 2 in the Chinese App Store was affected.

I wish to clarify that Rovio can confirm that only the Chinese build of Angry Birds 2 — available only on the App Store in Mainland China, Taiwan, Hong Kong and Macau — is vulnerable to the security issue. All other builds of Angry Birds 2 available in other countries are completely safe and secure. An update of Angry Birds 2 for customers in Mainland China, Taiwan, Hong Kong and Macau that fixes the issue is coming very shortly.

Interestingly, a Snowden leak from the CIA’s internal wiki system suggested that the agency had considered using a modified version of Xcode as an attack vector.

Via Business Insider

[MeshugeMikey]

Railway 12306 the only official app used for buying train tickets in China

ahahaha how incrediby conventient that !!

[MeshugeMikey]

Railway 12306 the only official app used for buying train tickets in China

ahahaha how incrediby conventient that !!

[Swordmaker]

ahahaha how incrediby conventient that !!

Very!

[dila813]

something like that, MD5 of the Dev kit encrypted and signed, if the MD5 doesn’t match, reject the app

[MeshugeMikey]

I have to wonder if there were any CHEMICAL PLANT APPS....developed for the apple watch in the Chines Market?