There is something very suspicious about this article:
- First that "security firm FireEye" can tell that these XcodeGhost" apps are on devices that are associated with iPhones operated by Enterprise employees.
- Second that 70% of these infected iPhones have not been updated to iOS 9, when 92% of entire installed base of iOS devices in the Apple customer base has already upgraded to iOS 9. What are the odds that 70% of the still infected iOS devices have not been upgraded, yet their users are sophisticated enough to figure out how to do side-loading of apps? Very slim.
- Third, to get infected with these XcodeGhost apps, the users would have had to have either downloaded them from the few (Five) that were uploaded to the CHINESE App Store, which is not a simple thing to connect to in the US, or side-loaded them from Chinese third party App Stores, also not an easy thing to connect to across the Chinese government's firewall into China.
- Finally, any developer who would be stupid enough to download any version of Xcode from any source except Apple, to take a chance on getting this new "XcodeGhost S" version, makes absolutely NO SENSE after the huge publicity push from two months ago. . . and the "defenses that Apple has created in iOS 9" are NOT in iOS 9, and never were, except the use of Apple Enterprise Certification that were being used to allow side-loading, they are in the vetting of apps that are accepted into the official App Stores. XcodeGhost S apps cannot get around that vetting.
What I see here is the same overblown hype that surrounded FireEye's breathless announcement in the US about the danger when it first appeared in China two months ago. . . and their attempts to sell their iOS anti-malware app. They are AGAIN pushing their anti-Malware and trying to gin up some panic in the iOS Enterprise community about employees somehow still having infected iPhones, as irrational as that may be for the reasons I outlined above, so they can sell their Enterprise iOS anti-malware app.
The same security firm FireEye that made the overblown announcement about the XcodeGhost problem and claiming 4000 apps on the Apple App Store without explaining that it was a CHINESE problem or that the infected Apps were NOT on the Apple China App Store, bur rather on third-party app stores, now claims that XcodeGhost is still hanging around in 70 US Enterprise firms' employees' iOS devices, and that there's a new version of XcodeGhost designed to get around "the protections built into iOS 9". . . but in my opinion this is all a bunch of hype intended to sell FireEye's enterprise anti-malware iOS app, because none of their claims really pass the smell test.
One of the questions that just does not make sense is how does FireEye distinguish an Enterprise iOS device from Joe Blow's iOS device, merely by noting that, according to their claim, the infected iOS devices are contacting the supposed servers, which is something the XcodeGhost apps did not even do as reported in the original infection? And why would any developer take a chance to download a possibly infected version of Xcode from a third-party, with all the news about XcodeGhost and the consequences of using a malicious version and lifetime developer bans for now doing so, when Apple has made it extremely easy to get a legitimate copy direct from Apple's servers? None of that makes any logical sense what-so-ever! -- PING!
Chinese XcodeGhost Reprise FUD
Ping!
The Latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on Freerepublic’s Search.
If you want on or off the Mac Ping List, Freepmail me.
“What are the odds that 70% of the still infected iOS devices have not been upgraded, yet their users are sophisticated enough to figure out how to do side-loading of apps? Very slim.”
I think the statistics actually play out to “very high”.
(And I don’t intend to malign anyone in this, just reporting my experiences...)
There are a LOT of iOS (all versions) users. 8% of 800,000,000 is still 64,000,000.
Those who don’t update iOS regularly are likely to not update at all.
There is a fitting subculture who is used to acquiring software from, er, alternative means. They’re not necessarily sophisticated users, but they are used to following directions to get software from sources other than the “walled garden” & mainstream (heck, those alternate sources ARE their “mainstream”). IP infringement & violations isn’t just rampant, it’s the norm.
As an iOS developer dealing with a variety of users’ issues, I assure you it’s not hard to make it easy for customers to “side load” apps.
I also know that “Enterprise employees” doesn’t always mean what it’s intended to. If you’re part of that aforementioned subculture, it’s not hard to fit that term under the circumstances.
Add to that, apparently acquiring Xcode is _painfully_ difficult in some areas (transferring multiple gigabytes from California servers is a non-starter), so in light of the normative subculture it’s common for their developers to just download (much faster) Xcode from local (and questionable) sources.
Upshot when I stir all those points together: those most likely to install these infected apps at all are
- likely 1-2 major versions of iOS behind current version
- likely to acquire apps from the “Enterprise employee” loophole I’ll not describe
- likely to side-load apps
and (drum roll please)
- by far the most likely “infected app” they have counting them into the article’s statistics is the Chinese release of Angry Birds.
So yeah, the statistics all make sense to me. The article of course spins them to the advantage of selling FireEye products. Deleting the Chinese version of Angry Birds, and updating to iOS 9, would alone likely eradicate practically all instances of XcodeGhost.