“As the list of apps infected with the XcodeGhost malware keeps expanding, Apple, Amazon and Baidu are doing their best to purge their online properties of affected apps, malicious Xcode installers, and C&C servers used by the attackers to gather the stolen information and control the infected apps/devices.
Apple has begun cleaning up its App Store on September 18 and is working with affected developers to get uninfected versions of their apps back in it. Some of the affected apps still remain in the Store, but will hopefully be removed soon.
China-based jailbreaking Pangu Team claims that the number of infected app is higher than 3,400, and have offered for download a free app that apparently detects the Trojanized apps.
“We have not verified their results,” Palo Alto researchers say. “However, considering that the malicious Xcode installers were spread since March 2015, the C2 servers also launched in March, and search engines results were polluted, it wouldnt be surprising if the affected number of iOS apps is far greater than we thought.”
They advised iOS users to download and use the app, and to temporarily delete all infected apps they find on their device.
According to Trend Micro, most of the affected users are Chinese, although North American users have been hit as well.
The source code for XCodeGhost has been published on Github, apparently by its author, who says that XcodeGhost was an “experiment” and he apologizes for the mess he created. He says that he didn’t mean for it to be used for malicious purposes, and that it does not include “threatening behavior”. It only collects basic app information, he says.
Whether you choose to believe him or not, the fact remains that the damage has been done.
According to Palo Alto researchers, the current version of the XcodeGhost can’t be directly used to phish iCloud passwords, as it was previously believed. The bad news is that by changing a few simple lines of code it can be made to do that, or to phish any kind of password.
They advise iOS and OS X developers to, from now on, always directly download official development tools from official channels, to set the Gatekeeper protection level to default value in their Mac computers for development, for integration and for deployment, and to constantly check the integrity of their development tools and libraries.”