Users of Apple iPhone and iPad products have been a bit stunned as the release of the information came forward regarding dozens of apps that contained iOS malware that were placed on the Apple Store. The malware, called XcodeGhost, was discovered and then removed from dozens of apps available for download from the store.
According to Alibaba, a report from Palo Alto Networks, Inc. indicated that Chinese app developers were the first ones to report the iOS malware. They discovered that XcodeGhost was embedded into apps due to the fact that developers had been convinced to make use of an unofficial (hacked) version of the Apple Xcode software development suite. A bit of background on why this version was used is due to the slow condition of the Apple servers and it is not uncommon for developers to look for software from outside sources. It is believed that many of the versions of Xcode 6.1 to 6.4 were infected with the malware.
Rapid7L LLC, engineering manager, Tod Beardsley indicated that this may have actually only been a proof of concept. He continued to state, “If an attacker is able to insert himself into the developer pipeline, pretty much all bets are off. When the compiler itself has been compromised, the developer cannot assert that the code being compiled is the same as what he or she intended. It is surprising to see that major software publishers were affected by a poisoned toolchain. For those companies, which apparently include financial institutions, the process for getting developer environments online should be more robust and resistant to attacks that rely on individual trust decisions by individual developers.”
Palo Alto Networks’ Unit 42, director of threat intelligence, Ryan Olson indicated that this attack is a potential bad sign for Apple as it is proof that an attack such as this is possible. He continued to say, “This is the largest-scale infiltration of Apple’s App store….and proves that infecting development tools like Xcode can be a successful way to infected iOS devices, which have historically been very secure.” Olson indicated that the largest risk of the XcodeGhost malware for enterprises was in the prompt of fake alert dialogues that create phishing attacks through the use of malicious URLs. Olson added, “It has the ability to send the user an alert message and it can open URLs specified by the attacker. The URL opening functionality could be used to attack other installed applications or possibly phish information from the user. At this point, the command and control servers are offline, so the risk to the enterprise from this specific threat has diminished.”
Romania-based antimalware company Bitdefender senior e-threat researcher, Liviu Arsene indicated that the XcodeGhost has the power to copy the clipboard data of the user and then allow the cybercriminals to steal credentials and authentication, which could be devastating to enterprises. He continued to say, “If enterprise users were to use password management tools to log in to various services remotely, the clipboard data with the authentication credentials could be sent to the command and control server, giving the attacker a possible covert entry point into a corporate network or system.”
It is currently not known how many users were potentially affected by the iOS malware but both Arsene and Palo Alto Networks indicated that XcodeGhost may have affected hundreds of millions of people.
Initially, Apple did not offer any response to requests as to whether the malicious apps had been successfully disabled remotely on the various devices or any instructions as to actions that users should take to remove the apps found on their devices. Christine Monaghan, Apple spokeswoman, did release a statement to Reuters on the actions that Apple has taken, “We’ve removed the apps from the App Store that we know have been created with this counterfeit software. We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”
Sharon Knowles, CEO of Da Vinci Forensics says:
This latest Apple malware reinstates that fact that even the products that both business and the public assume are safe, can be breached by cybercriminals. While companies extensively focus on the safety and security of their software and products, individuals and businesses must maintain serious attention to all levels of security. DaVinci Forensics continues in our diligent efforts to communicate potential threats as well as assist in restoring the data conditions of those that have fallen prey to cyberattacks.