Millions of iOS users endangered by Trojanized apps from the App Store

“Unknown malware pushers have managed to trick Apple into offering for download from the company’s official App Store a considerable number of malicious apps – apps that collect device information and try to get users’ iCloud login credentials.

The current list of infected iOS apps includes many extremely popular apps in China and the rest of the world.

“The infected iOS apps include IMs, banking apps, mobile carriers app, maps, stock trading apps, SNS apps, and games. Among the more well-known apps are WeChat (developed by Tencent); Didi Chuxing (developed by Didi Kuaidi) the most popular Uber-like app in China; Railway 12306, the only official app used for purchasing train tickets in China; China Unicom Mobile Office, which is in use by the biggest mobile carrier in China; and Tonghuashun, one of most popular stock trading apps,” Palo Alto researchers shared.

This unprecedented attack against Apple’s App Store and users started with the attackers offering for download malicious versions of Apples Xcode app building framework on Chinese developer forums. This framework is offered for download by Apple, but its size (3GB) made developers opt for a faster download from a third-party (Baidu) file-sharing site. These files have been removed after Baidu was notified of this.

By using this framework to develop apps, they effectively Trojanized them and allowed them to download and execute malware, which turned out to be an effective way to successfully pass the App Store’s code vetting process.

Alibaba researchers, who were the first who analyzed it, have dubbed the malicious modified versions of the Xcode framework “XcodeGhost”.

An in-depth analysis by Palo Alto researchers first discovered that the Trojanized apps collected device, app and network information and sent it, in encrypted form, to one of three C&C servers whose address is encoded in the malware.

Only a day later, following on some reports that the infected apps were popping up alert dialogs asking for users to type in their iCloud login credentials, the researchers found that yes, the apps were capable of doing that when instructed by the attackers, and that attackers were obviously doing that.

The infected apps can also be made to hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps, and read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.

“Based on this new information, we believe XcodeGhost is a very harmful and dangerous malware that has bypassed Apples code review and made unprecedented attacks on the iOS ecosystem,” they pointed out, adding that “the techniques used in this attack could be adopted by criminal and espionage focused groups to gain access to iOS devices.

Apple has reacted to the news by removing the affected apps from the App Store. According to an Apple spokesperson, the company is working with developers to make sure they’re using the proper version of Xcode to rebuild their apps. Some of them already have.

This incident should shake Apple and the users of their devices to the core: the often repeated claim that if you stick to downloading apps from the App Store you’re generally safe has been proven false. Also, this event has proven, once again, that motivated attackers always find a way into systems, no matter how secured they are.

The definite number of infected apps is still unknown. Palo Alto researchers say at least 48, Chinese security firm Qihoo360 says nearly 350. Apple has not said how many it has removed from the store.

App developers who use Xcode are advised to download it directly from Apple, and to regularly check their installed Xcodes code signing integrity.

ISC handler Xavier Mertens has more info on how to detect infected devices, both if you’re an iPhone user or a developer (or both).”

Don't miss