Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

XCodeGhost iOS infection toll balloons from 39 to over 4,000 apps
Mac Daily News ^ | Wednesday, September 23, 2015 ยท 5:27 pm

Posted on 09/24/2015 1:47:57 AM PDT by Swordmaker

The number of XCodeGhost-infected iOS apps, initially pegged at 39, has ballooned to more than 4,000,” Darren Pauli reports for The Register. “‘Immediately after learning of XcodeGhost, FireEye Labs identified more than 4,000 infected apps on the App Store,’ FireEye said. ‘The malicious apps steal device and user information and send stolen data to a command and control (CnC) server [and] also accept remote commands including the ability to open URLs sent by the CnC server. These URLs can be phishing webpages for stealing credentials, or a link to an enterprise-signed malicious app that can be installed on non-jailbroken devices.'”

“A FireEye spokesman told Vulture South that many of the infected apps were owned by ‘big Chinese global brands’ such as consumer electronics, telcos, and banks,” Pauli reports. “The apps were infected after developers downloaded a copy of the Xcode iOS development tool through a file-sharing service. That package was modified to trojanise apps in a way that passed App Store security checks, and was advertised on popular developer forums as a faster source to download the 3Gb Xcode file.”

Read more in the full article here

.


TOPICS: Business/Economy; Computers/Internet; Conspiracy
KEYWORDS: applepinglist
Navigation: use the links below to view more comments.
first 1-2021-4041-6061-80 next last
It is amazing that almost all of the articles on XcodeGhost fail to mention that the infections are limited to the Chinese Apple App Store, except for a very few apps such as WeChat that were distributed internationally. 99.9% of these affected apps are in the Chinese language.
1 posted on 09/24/2015 1:47:57 AM PDT by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: ~Kim4VRWC's~; 1234; Abundy; Action-America; acoulterfan; AFreeBird; Airwinger; Aliska; altair; ...
The XcodeGhost infections in the Chines Apple App Store have been found to now number over 4000 instead of the original 39 originally found. Very few are in any other countries' App Stores. — PING!


Chinese Apple XcodeGhost Piracy
Ping!

The Latest Apple/Mac/iOS Pings can be found by searching Keyword “ApplePingList” on Freerepublic’s Search.

If you want on or off the Mac Ping List, Freepmail me.

2 posted on 09/24/2015 1:55:08 AM PDT by Swordmaker ( This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
It looked like 99.% chinese initially, but now that the number jumped from 39 to 4000, all bets are off. It is confirmed people are being infected outside of China, and there are many infected apps in English (though still not confirmed how many are in the US store). Check the updated list here:

http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/#

WinZip
Musical.ly
PDFReader
guaji_gangtai en
Perfect365
网易云音乐
PDFReader Free
WhiteTile
IHexin
WinZip Standard
MoreLikers2
CamScanner Lite
MobileTicket
iVMS-4500
OPlayer Lite
QYER
golfsense
同花顺
ting
installer
下厨房
golfsensehd
Wallpapers10000
CSMBP-AppStore
礼包助手
MSL108
ChinaUnicom3.x
TinyDeal.com
snapgrab copy
iOBD2
PocketScanner
CuteCUT
AmHexinForPad
SuperJewelsQuest2
air2
InstaFollower
CamScanner Pro
baba
WeLoop
DataMonitor
爱推
MSL070
nice dev
immtdchs
OPlayer
FlappyCircle
高德地图
BiaoQingBao
SaveSnap
WeChat
Guitar Master
jin
WinZip Sector
Quick Save
CamCard v.6.5.1
From the article. "Fox-IT (fox-it.com), a Netherlands based security company, checked all C2 domain names from our reports in their network sensors and has found thousands of malicious traffic outside China. According to their data, these iOS apps were also infected:"
3 posted on 09/24/2015 2:37:23 AM PDT by Wayne07
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

So is this only on jail break phones or is it on a normal iPhone? No way can this be on normal iPhone right? No way could Apple screw up this bad.


4 posted on 09/24/2015 3:41:04 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

“Very few are in any other countries’ App Stores.”

That’s what they said when it was only 39. I suppose you have to toe the company line, though, and ensure no one worries.


5 posted on 09/24/2015 4:18:48 AM PDT by bolobaby
[ Post Reply | Private Reply | To 2 | View Replies]

To: bolobaby

Wait so this is in the actual apple app store and not only on jailbreak phones?

Really? OMG! How can this happen? I thought Apple was uber secure and this only happens to Android phones and Windows PCs.

Wow...so using macbot logic since the Windows Phone store has never been screwed up like this it’s the only secure store out there right now. Quick macbots to ensure you have security on your phones switch to Windows Phone immediately.

Steve Jobs is turning over in his grave seeing with Apple is becoming.


6 posted on 09/24/2015 6:00:14 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 5 | View Replies]

To: for-q-clinton

Yes. And if you live in China, then your Apple device might be infected.


7 posted on 09/24/2015 6:11:24 AM PDT by Theo (May Christ be exalted above all.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Theo

Wow...there are like over 1 billion people that live there. How many iPhones did they sell in China?

Also I heard it was hitting other countries as well—not just china. This sounds really really bad.


8 posted on 09/24/2015 6:18:34 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 7 | View Replies]

To: for-q-clinton; bolobaby
> I suppose you have to toe the company line, though, and ensure no one worries.
> Really? OMG! How can this happen? I thought Apple was uber secure and this only happens to Android phones and Windows PCs. Wow...so using macbot logic ...

Guys. Swordmaker was the person who posted the thread, as a security/privacy alert, and presented the available facts minus the hysterical clickbait headline crapola. What the hell do you want?

Geez. You guys sound like a couple of jackasses. Not saying you -are-, just sayin' your trolling makes you sound just as stupid as the Applebot trolls who make dumb, predictable, snarky comments on the Windows threads. How about you grow up, maybe? Or at least say something different from your usual troll lines, and try not to be so repetitious, eh?

> ...switch to Windows Phone immediately.

LOL.

> Steve Jobs is turning over in his grave seeing with Apple is becoming.

Now, THAT comment I can agree with.

Thanks from your friendly FR Windows guy. :-) Have a great day!

9 posted on 09/24/2015 6:24:11 AM PDT by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
[ Post Reply | Private Reply | To 6 | View Replies]

To: dayglored

Huh? Why is it I’m talking about Apple and you assume I’m attacking Swordmaker?

Hmmmmm.....

What did I post that had anything to do with Swordmaker? What I’m saying is this is bad for Apple. Sure Swordmaker is downplaying it a little trying to say it’s only in China, but I’m not the one calling him out for that...although I should.


10 posted on 09/24/2015 7:19:18 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 9 | View Replies]

To: dayglored

BTW: Yes that’s EXACTLY what I’m doing. I’m illustrating the absurd with the absurd by acting like the Macbots and iDummies on other tech threads.


11 posted on 09/24/2015 7:22:33 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 9 | View Replies]

To: dayglored

No no. When Swordmaker posts this, it’s a community service announcement.

“Hey guys, just to let you know, the magnanimous Apple has discovered an issue, but - *don’t* worry - it only affects a small percentage of apps, and they are graciously fixing everything as we speak, so keep using your Apple products comfortably and happily!”

Now, compare that to the way he posts Android-hate articles. There is no assuring commentary; usually, quite the opposite. It’s often posted with comments on why Apple is better and (ahem) FUD regarding Android.

You, know... all the stuff you’d expect from a paid social marketer.

***Bear in mind***, I have *absolutely nothing* against Apple. Having used both, I prefer my Android device, but I don’t hate Apple. The only thing I have against Apple is the presence of one of their paid social marketers trolling our board, building up a false persona, solely to push their products to an unwitting forum.


12 posted on 09/24/2015 8:39:34 AM PDT by bolobaby
[ Post Reply | Private Reply | To 9 | View Replies]

To: AFreeBird

See post #12.


13 posted on 09/24/2015 8:40:47 AM PDT by bolobaby
[ Post Reply | Private Reply | To 12 | View Replies]

To: for-q-clinton

“Really? OMG! How can this happen?”

Ah, the ever-clueless 4-q-clinton surfaces from the muck again.

It happens because security is hard. At least this has been found, the most serious vulnerabilities are those that have gone undetected. I wonder how many of those are on the near-empty Windows store?

The situation is far better than Android, where hundreds of millions (billions?) of highly vulnerable devices will never even receive an update...

Bye for-q...


14 posted on 09/24/2015 10:04:02 AM PDT by PreciousLiberty
[ Post Reply | Private Reply | To 6 | View Replies]

To: Swordmaker

By the way, the severity of this particular exploit is low. The malware encrypts and uploads the following:

- Current time
- Current infected app’s name
- The app’s bundle identifier
- Current device’s name and type
- Current system’s language and country
- Current device’s UUID
- Network type

It looks a lot more like a proof-of-concept than serious malware.

Reminder, developers - be careful where you get your development tools! (At least the idiots in China who downloaded this should have made sure the checksums matched!)


15 posted on 09/24/2015 10:12:08 AM PDT by PreciousLiberty
[ Post Reply | Private Reply | To 1 | View Replies]

To: PreciousLiberty

Whoops, it is worse than I read at first:

Palo Alto Networks also discovered that infected iOS apps can receive commands from the attacker through the C2 server to perform the following actions:

- Prompt a fake alert dialog to phish user credentials;
- Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps;
- Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.

Apple should auto-remove the offending apps from affected devices, though I didn’t see that confirmed anywhere.


16 posted on 09/24/2015 10:16:52 AM PDT by PreciousLiberty
[ Post Reply | Private Reply | To 15 | View Replies]

To: PreciousLiberty

So you’re saying there are no undetected vulnerabilities on Apple products now?


17 posted on 09/24/2015 11:32:24 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 14 | View Replies]

To: for-q-clinton; PreciousLiberty
So is this only on jail break phones or is it on a normal iPhone? No way can this be on normal iPhone right? No way could Apple screw up this bad.

This is on regular CHINESE iOS App Store devices. The exposure outside of China is extremely limited. It does not require jailbreaking the iPhone or iPad. The claim that private data can be stolen or that the seems to be compromised apps can be used to download and install other malware has not been proved to be true as no secondary malware has been found. The malware encrypts and uploads the following:

The only serious issue is the hijacking of specific URLs, but it is SPECIFIC URLs pre-programmed for the Chinese networks. . . and most of those have security certification which will block that approach.

Phishing for credentials by having a sudden, out-of-the-blue, pop-up asking for an AppleID and password, unassociated with something you are doing is a red flag for anyone paying attention.

18 posted on 09/24/2015 2:16:31 PM PDT by Swordmaker ( This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Swordmaker

Not really...iphone users assume they are secure so a creds request will most likely be responded to. Especially by dumb users... Which is most.


19 posted on 09/24/2015 2:26:40 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 18 | View Replies]

To: bolobaby; for-q-clinton
That’s what they said when it was only 39. I suppose you have to toe the company line, though, and ensure no one worries.

Still lying and trying to hijack the thread into an ad hominem attack on me, bolobaby. Give it a rest. The 99.9% figure came from an initial report from one of the security firms investigating the infection, not Apple.

That 99.9 percent is still about the correct figure. 99.9% of 4000 is approximately 4-5 apps. The vast majority of the infected apps were made for the Chinese market. They've identified four or five of those Chinese Apps that have been translated into other languages and gone international . . . but even some of those named apps turn out to be the Chinese language or other versions that have not yet been sent over seas. Some of the named apps just share names because they were ported into Chinese by sub-contractors for the App publishers who used the spurious XcodeGhost version of Apple's Xcode.

The C2 domain is one of CHINA's main domains.

Some apps are also available from the App Store in other countries. For example, CamCard, developed by a Chinese company, is the most popular business card reader and scanner in many countries (including the US) around the world. (Update Sept. 21: We’ve verified that, while CamCard v6.5.1 in Chinese App Store was infected by XcodeGhost, the older version of CamCard, v5.5.2 found in the U.S. App Store, is not infected.).

WeChat is the most popular IM app not only in China but also in many countries or regions in Asia Pacific. Version 6.2.5 of WeChat is what we have verified to be infected. Tencent has updated to 6.2.6, which removed the malicious code.

Palo Alto Networks is cooperating with Apple on the issue and we also suggest all iOS developers be aware and take necessary actions.

It may be 1% of the 4000 or so have gone international that are infected, which would be on the close order of 40-50, but even those are unlikely to be in the US, and more likely in the Asian area. Apple is removing all infected apps from all stores wherever they are located.

Many of the publishers of the English and other language versions of the listed apps have made statements that their apps are not infected, explaining that only the subcontractors in China who made the conversions to the Chinese language versions of their Apps used the XcodeGhost which infected their apps.

20 posted on 09/24/2015 2:39:35 PM PDT by Swordmaker ( This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 5 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041-6061-80 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson