Many US enterprises still run XcodeGhost-infected Apple apps

Dozens of U.S. enterprises are still using Apple mobile apps seeded with malware for a clever hacking scheme revealed last month known as XcodeGhost.

The computer security firm FireEye said Tuesday it detected that 210 enterprises that are still using infected apps, showing that the XcodeGhost malware "is a persistent security risk," according to a blog post.

Last month, more than 4,000 applications were found to have been modified with a counterfeit version of Xcode, an application development tool from Apple.

The malicious version, dubbed XcodeGhost, adds hidden code to apps, which can collect identifying information about a device or even open URLs.

It was speculated that some application developers, mostly based in China, might have downloaded the rogue version of Xcode due to problems in getting it directly from Apple. Baidu's cloud file-sharing service at one time hosted the modified Xcode, but it was later removed, according to Palo Alto Networks.

There is something very suspicious about this article:

First that "security firm FireEye" can tell that these XcodeGhost" apps are on devices that are associated with iPhones operated by Enterprise employees.
Second that 70% of these infected iPhones have not been updated to iOS 9, when 92% of entire installed base of iOS devices in the Apple customer base has already upgraded to iOS 9. What are the odds that 70% of the still infected iOS devices have not been upgraded, yet their users are sophisticated enough to figure out how to do side-loading of apps? Very slim.
Third, to get infected with these XcodeGhost apps, the users would have had to have either downloaded them from the few (Five) that were uploaded to the CHINESE App Store, which is not a simple thing to connect to in the US, or side-loaded them from Chinese third party App Stores, also not an easy thing to connect to across the Chinese government's firewall into China.
Finally, any developer who would be stupid enough to download any version of Xcode from any source except Apple, to take a chance on getting this new "XcodeGhost S" version, makes absolutely NO SENSE after the huge publicity push from two months ago. . . and the "defenses that Apple has created in iOS 9" are NOT in iOS 9, and never were, except the use of Apple Enterprise Certification that were being used to allow side-loading, they are in the vetting of apps that are accepted into the official App Stores. XcodeGhost S apps cannot get around that vetting.

What I see here is the same overblown hype that surrounded FireEye's breathless announcement in the US about the danger when it first appeared in China two months ago. . . and their attempts to sell their iOS anti-malware app. They are AGAIN pushing their anti-Malware and trying to gin up some panic in the iOS Enterprise community about employees somehow still having infected iPhones, as irrational as that may be for the reasons I outlined above, so they can sell their Enterprise iOS anti-malware app.

The same security firm FireEye that made the overblown announcement about the XcodeGhost problem and claiming 4000 apps on the Apple App Store without explaining that it was a CHINESE problem or that the infected Apps were NOT on the Apple China App Store, bur rather on third-party app stores, now claims that XcodeGhost is still hanging around in 70 US Enterprise firms' employees' iOS devices, and that there's a new version of XcodeGhost designed to get around "the protections built into iOS 9". . . but in my opinion this is all a bunch of hype intended to sell FireEye's enterprise anti-malware iOS app, because none of their claims really pass the smell test.

One of the questions that just does not make sense is how does FireEye distinguish an Enterprise iOS device from Joe Blow's iOS device, merely by noting that, according to their claim, the infected iOS devices are contacting the supposed servers, which is something the XcodeGhost apps did not even do as reported in the original infection? And why would any developer take a chance to download a possibly infected version of Xcode from a third-party, with all the news about XcodeGhost and the consequences of using a malicious version and lifetime developer bans for now doing so, when Apple has made it extremely easy to get a legitimate copy direct from Apple's servers? None of that makes any logical sense what-so-ever! -- PING!

Chinese XcodeGhost Reprise FUD
Ping!

The Latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on Freerepublicâ€™s Search.

If you want on or off the Mac Ping List, Freepmail me.

“What are the odds that 70% of the still infected iOS devices have not been upgraded, yet their users are sophisticated enough to figure out how to do side-loading of apps? Very slim.”

I think the statistics actually play out to “very high”.

(And I don’t intend to malign anyone in this, just reporting my experiences...)

There are a LOT of iOS (all versions) users. 8% of 800,000,000 is still 64,000,000.
Those who don’t update iOS regularly are likely to not update at all.
There is a fitting subculture who is used to acquiring software from, er, alternative means. They’re not necessarily sophisticated users, but they are used to following directions to get software from sources other than the “walled garden” & mainstream (heck, those alternate sources ARE their “mainstream”). IP infringement & violations isn’t just rampant, it’s the norm.
As an iOS developer dealing with a variety of users’ issues, I assure you it’s not hard to make it easy for customers to “side load” apps.
I also know that “Enterprise employees” doesn’t always mean what it’s intended to. If you’re part of that aforementioned subculture, it’s not hard to fit that term under the circumstances.

Add to that, apparently acquiring Xcode is _painfully_ difficult in some areas (transferring multiple gigabytes from California servers is a non-starter), so in light of the normative subculture it’s common for their developers to just download (much faster) Xcode from local (and questionable) sources.

Upshot when I stir all those points together: those most likely to install these infected apps at all are
- likely 1-2 major versions of iOS behind current version
- likely to acquire apps from the “Enterprise employee” loophole I’ll not describe
- likely to side-load apps
and (drum roll please)
- by far the most likely “infected app” they have counting them into the article’s statistics is the Chinese release of Angry Birds.

So yeah, the statistics all make sense to me. The article of course spins them to the advantage of selling FireEye products. Deleting the Chinese version of Angry Birds, and updating to iOS 9, would alone likely eradicate practically all instances of XcodeGhost.

Fireeye is a pretty good company.

I judge them by what they did not tell the public. . . and what FireEye did not tell the public was the most important part of the XcodeGhost story.

They wanted the public to assume the 4000+ infected apps were in the Apple App Store and that the members of the public were in danger of downloading those apps merely by using the US Apple App store when there was ZERO chance of doing that because there were no infected files in the US. Not a single XcodeGhost app ever was found in the US App store, and only five were found in the China Apple App Store.

The 4000+ other infected app files that FireEye were for either jailbroken iOS devices or they had to be side-loaded into non-jailbroken iOS devices by spoofing stolen or borrowed Enterprise Certificates to make the iPhone or iPad install them as if they were from an employers' enterprise account from a third-party app store.

This was dishonest reporting to the US market. For any American consumer to be infected required that consumer to jump through some pretty difficult hoops. FireEye knew all this and failed to report it. . . and it took days for it to come out. At the same time, they were approaching businesses selling their Enterprise iOS anti-malware app.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.