Skip to comments.XCodeGhost iOS infection toll balloons from 39 to over 4,000 apps
Posted on 09/24/2015 1:47:57 AM PDT by Swordmaker
The number of XCodeGhost-infected iOS apps, initially pegged at 39, has ballooned to more than 4,000, Darren Pauli reports for The Register. Immediately after learning of XcodeGhost, FireEye Labs identified more than 4,000 infected apps on the App Store, FireEye said. The malicious apps steal device and user information and send stolen data to a command and control (CnC) server [and] also accept remote commands including the ability to open URLs sent by the CnC server. These URLs can be phishing webpages for stealing credentials, or a link to an enterprise-signed malicious app that can be installed on non-jailbroken devices.'
A FireEye spokesman told Vulture South that many of the infected apps were owned by big Chinese global brands such as consumer electronics, telcos, and banks, Pauli reports. The apps were infected after developers downloaded a copy of the Xcode iOS development tool through a file-sharing service. That package was modified to trojanise apps in a way that passed App Store security checks, and was advertised on popular developer forums as a faster source to download the 3Gb Xcode file.
Read more in the full article here
If you want on or off the Mac Ping List, Freepmail me.
WinZip Musical.ly PDFReader guaji_gangtai en Perfect365 网易云音乐 PDFReader Free WhiteTile IHexin WinZip Standard MoreLikers2 CamScanner Lite MobileTicket iVMS-4500 OPlayer Lite QYER golfsense 同花顺 ting installer 下厨房 golfsensehd Wallpapers10000 CSMBP-AppStore 礼包助手 MSL108 ChinaUnicom3.x TinyDeal.com snapgrab copy iOBD2 PocketScanner CuteCUT AmHexinForPad SuperJewelsQuest2 air2 InstaFollower CamScanner Pro baba WeLoop DataMonitor 爱推 MSL070 nice dev immtdchs OPlayer FlappyCircle 高德地图 BiaoQingBao SaveSnap WeChat Guitar Master jin WinZip Sector Quick Save CamCard v.6.5.1From the article. "Fox-IT (fox-it.com), a Netherlands based security company, checked all C2 domain names from our reports in their network sensors and has found thousands of malicious traffic outside China. According to their data, these iOS apps were also infected:"
So is this only on jail break phones or is it on a normal iPhone? No way can this be on normal iPhone right? No way could Apple screw up this bad.
“Very few are in any other countries’ App Stores.”
That’s what they said when it was only 39. I suppose you have to toe the company line, though, and ensure no one worries.
Wait so this is in the actual apple app store and not only on jailbreak phones?
Really? OMG! How can this happen? I thought Apple was uber secure and this only happens to Android phones and Windows PCs.
Wow...so using macbot logic since the Windows Phone store has never been screwed up like this it’s the only secure store out there right now. Quick macbots to ensure you have security on your phones switch to Windows Phone immediately.
Steve Jobs is turning over in his grave seeing with Apple is becoming.
Yes. And if you live in China, then your Apple device might be infected.
Wow...there are like over 1 billion people that live there. How many iPhones did they sell in China?
Also I heard it was hitting other countries as well—not just china. This sounds really really bad.
Guys. Swordmaker was the person who posted the thread, as a security/privacy alert, and presented the available facts minus the hysterical clickbait headline crapola. What the hell do you want?
Geez. You guys sound like a couple of jackasses. Not saying you -are-, just sayin' your trolling makes you sound just as stupid as the Applebot trolls who make dumb, predictable, snarky comments on the Windows threads. How about you grow up, maybe? Or at least say something different from your usual troll lines, and try not to be so repetitious, eh?
> ...switch to Windows Phone immediately.
> Steve Jobs is turning over in his grave seeing with Apple is becoming.
Now, THAT comment I can agree with.
Thanks from your friendly FR Windows guy. :-) Have a great day!
Huh? Why is it I’m talking about Apple and you assume I’m attacking Swordmaker?
What did I post that had anything to do with Swordmaker? What I’m saying is this is bad for Apple. Sure Swordmaker is downplaying it a little trying to say it’s only in China, but I’m not the one calling him out for that...although I should.
BTW: Yes that’s EXACTLY what I’m doing. I’m illustrating the absurd with the absurd by acting like the Macbots and iDummies on other tech threads.
No no. When Swordmaker posts this, it’s a community service announcement.
“Hey guys, just to let you know, the magnanimous Apple has discovered an issue, but - *don’t* worry - it only affects a small percentage of apps, and they are graciously fixing everything as we speak, so keep using your Apple products comfortably and happily!”
Now, compare that to the way he posts Android-hate articles. There is no assuring commentary; usually, quite the opposite. It’s often posted with comments on why Apple is better and (ahem) FUD regarding Android.
You, know... all the stuff you’d expect from a paid social marketer.
***Bear in mind***, I have *absolutely nothing* against Apple. Having used both, I prefer my Android device, but I don’t hate Apple. The only thing I have against Apple is the presence of one of their paid social marketers trolling our board, building up a false persona, solely to push their products to an unwitting forum.
See post #12.
“Really? OMG! How can this happen?”
Ah, the ever-clueless 4-q-clinton surfaces from the muck again.
It happens because security is hard. At least this has been found, the most serious vulnerabilities are those that have gone undetected. I wonder how many of those are on the near-empty Windows store?
The situation is far better than Android, where hundreds of millions (billions?) of highly vulnerable devices will never even receive an update...
By the way, the severity of this particular exploit is low. The malware encrypts and uploads the following:
- Current time
- Current infected apps name
- The apps bundle identifier
- Current devices name and type
- Current systems language and country
- Current devices UUID
- Network type
It looks a lot more like a proof-of-concept than serious malware.
Reminder, developers - be careful where you get your development tools! (At least the idiots in China who downloaded this should have made sure the checksums matched!)
Whoops, it is worse than I read at first:
Palo Alto Networks also discovered that infected iOS apps can receive commands from the attacker through the C2 server to perform the following actions:
- Prompt a fake alert dialog to phish user credentials;
- Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps;
- Read and write data in the users clipboard, which could be used to read the users password if that password is copied from a password management tool.
Apple should auto-remove the offending apps from affected devices, though I didn’t see that confirmed anywhere.
So you’re saying there are no undetected vulnerabilities on Apple products now?
This is on regular CHINESE iOS App Store devices. The exposure outside of China is extremely limited. It does not require jailbreaking the iPhone or iPad. The claim that private data can be stolen or that the seems to be compromised apps can be used to download and install other malware has not been proved to be true as no secondary malware has been found. The malware encrypts and uploads the following:
The only serious issue is the hijacking of specific URLs, but it is SPECIFIC URLs pre-programmed for the Chinese networks. . . and most of those have security certification which will block that approach.
Phishing for credentials by having a sudden, out-of-the-blue, pop-up asking for an AppleID and password, unassociated with something you are doing is a red flag for anyone paying attention.
Not really...iphone users assume they are secure so a creds request will most likely be responded to. Especially by dumb users... Which is most.
Still lying and trying to hijack the thread into an ad hominem attack on me, bolobaby. Give it a rest. The 99.9% figure came from an initial report from one of the security firms investigating the infection, not Apple.
That 99.9 percent is still about the correct figure. 99.9% of 4000 is approximately 4-5 apps. The vast majority of the infected apps were made for the Chinese market. They've identified four or five of those Chinese Apps that have been translated into other languages and gone international . . . but even some of those named apps turn out to be the Chinese language or other versions that have not yet been sent over seas. Some of the named apps just share names because they were ported into Chinese by sub-contractors for the App publishers who used the spurious XcodeGhost version of Apple's Xcode.
The C2 domain is one of CHINA's main domains.
Some apps are also available from the App Store in other countries. For example, CamCard, developed by a Chinese company, is the most popular business card reader and scanner in many countries (including the US) around the world. (Update Sept. 21: Weve verified that, while CamCard v6.5.1 in Chinese App Store was infected by XcodeGhost, the older version of CamCard, v5.5.2 found in the U.S. App Store, is not infected.).
WeChat is the most popular IM app not only in China but also in many countries or regions in Asia Pacific. Version 6.2.5 of WeChat is what we have verified to be infected. Tencent has updated to 6.2.6, which removed the malicious code.
Palo Alto Networks is cooperating with Apple on the issue and we also suggest all iOS developers be aware and take necessary actions.
It may be 1% of the 4000 or so have gone international that are infected, which would be on the close order of 40-50, but even those are unlikely to be in the US, and more likely in the Asian area. Apple is removing all infected apps from all stores wherever they are located.
Many of the publishers of the English and other language versions of the listed apps have made statements that their apps are not infected, explaining that only the subcontractors in China who made the conversions to the Chinese language versions of their Apps used the XcodeGhost which infected their apps.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.