App Store iOS malware found after first large-scale attack
For the first time, a large amount of iOS malware has made it past Apple's App Store security controls, potentially affecting hundreds of millions of users.
Apple has admitted that it was forced to remove dozens of reputable iPhone and iPad apps from its App Store on Sunday because they contained embedded iOS malware.
Chinese app developers first reported the existence of the iOS malware last Wednesday, according to a report from Palo Alto Networks Inc., based in Santa Clara, Calif. Alibaba researchers then found apps containing malware, which is named XcodeGhost, because it was embedded into apps after developers were convinced to use a hacked version of Apple's Xcode software development suite.
Palo Alto Networks said Chinese developers received the infected versions of Xcode because the standard Xcode installer is very large, at nearly 3 GB, and Apple servers can be slow. As a result, developers will often seek out the software from other sources, and many copies of Xcode versions 6.1 to 6.4 were infected.
According to Tod Beardsley, engineering manager at Boston-based Rapid7 LLC, this attack may only have been a proof of concept.
"If an attacker is able to insert himself into the developer pipeline, pretty much all bets are off. When the compiler itself has been compromised, the developer cannot assert that the code being compiled is the same as what he or she intended," Beardsley said. "It is surprising to see that major software publishers were affected by a poisoned toolchain. For those companies, which apparently include financial institutions, the process for getting developer environments online should be more robust and resistant to attacks that rely on individual trust decisions by individual developers."
Apple did not respond to requests for comment at the time of this writing -- specifically, as to whether the malicious apps had been remotely disabled on user devices or what users could do to remove the offending apps. But Apple spokeswoman Christine Monaghan said in a statement to Reuters that Apple has taken action.
"We've removed the apps from the App Store that we know have been created with this counterfeit software," Monaghan said. "We are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps."
This attack is unique because it is the first known compiler malware on Mac OS X, and the resulting XcodeGhost malware has been found in nearly 40 apps, according to Palo Alto Networks, including instant messaging apps, banking apps, mobile carrier apps, maps, stock trading apps, SMS apps and games. In terms of more well-known apps found to be infected, many were top apps in China -- such as messaging service WeChat, ride-sharing service Didi Chuxing, and a productivity app from the largest Chinese carrier, China Unicom.
Ryan Olson, director of threat intelligence for Palo Alto Networks' Unit 42 threat research team, said the proof that an attack like this is possible may be a bad sign for Apple.
"This is the largest-scale infiltration of Apple's App store," Olson said, "and proves that infecting development tools like Xcode can be a successful way to infected iOS devices, which have historically been very secure."
Olson said the biggest risk for enterprises with the XcodeGhost malware was in phishing attacks by prompting fake alert dialogues and using malicious URLs. "It has the ability to send the user an alert message and it can open URLs specified by the attacker," he said. "The URL opening functionality could be used to attack other installed applications or possibly phish information from the user. At this point, the command and control servers are offline, so the risk to the enterprise from this specific threat has diminished."
Liviu Arsene, senior e-threat researcher for Romania-based antimalware firm Bitdefender, said XcodeGhost's ability to copy users' clipboard data could also allow attackers to steal authentication credentials, which could be devastating to enterprises. "If enterprise users were to use password management tools to log in to various services remotely, the clipboard data with the authentication credentials could be sent to the command and control server, giving the attacker a possible covert entry point into a corporate network or system," he said.
It's unknown exactly how many users were affected by the iOS malware, but both Palo Alto Networks and Arsene said XcodeGhost may have potentially affected hundreds of millions of people.
- Learn more about smartphone security threats plaguing Android and iPhone.
- Find out how to mitigate KeyRaider iOS malware
Dig Deeper on Smartphone and PDA Viruses and Threats-Setup and Tools
- CAPTCHA-bypassing Android malware found in Google Play Store
- Qualcomm claims new mobile SoC will feature zero-day detection
- Millions left at risk as Android Stagefright fix pushed to September
- How can the Siri attack, 'iStegSiri,' be mitigated?