Security firm FireEye reports updated XcodeGhost loose in the wild, possibly infecting genuine iOS apps with malware

Posted by:
Date: Wednesday, November 4th, 2015, 08:23
Category: iOS, News, security, Software


The XcodeGhost thing may have reared its ugly head again, this time in a different form.

Security firm FireEye stated via a blog post that a variant of the XcodeGhost code, which has been known to inject malware into genuine apps, is still out there. The firm stated that it has identified a more advanced version of the compromised app development tool, XcodeGhost S, which has been designed to infect iOS 9 apps and allow compromised apps to escape detection by Apple.

The company offered the following statement:

XcodeGhost is planted in different versions of Xcode, including Xcode 7 (released for iOS 9 development). In the latest version, which we call XcodeGhost S, features have been added to infect iOS 9 and bypass static detection.

We have worked with Apple to have all XcodeGhost and XcodeGhost samples we have detected removed from the App Store.

FireEye said that by monitoring its customers’ networks, it identified 210 enterprises with infected apps running inside their networks – a third of them in the USA – generating 28,000 attempts to connect to the XcodeGhost Command and Control (CnC) servers …

It notes that the servers are not currently under control by those behind XcodeGhost, but they are potentially vulnerable to hijacking attempts. Some enterprises have modified their domain name servers to block traffic to the CnC servers, but this does not necessarily protect devices when used outside the corporate networks.

The firm offered the following description of how the updated XcodeGhost code both runs and circumvents Apple’s protection in iOS 9:

Apple introduced the “NSAppTransportSecurity” approach for iOS 9 to improve client-server connection security. By default, only secure connections (https with specific ciphers) are allowed on iOS 9. Due to this limitation, previous versions of XcodeGhost would fail to connect with the CnC server by using http. However, Apple also allows developers to add exceptions (“NSAllowsArbitraryLoads”) in the app’s Info.plist to allow http connection. The XcodeGhost S sample reads the setting of “NSAllowsArbitraryLoads” under the “NSAppTransportSecurity” entry in the app’s Info.plist and picks different CnC servers (http/https) based on this setting.

Not the best report Apple could get from a security firm and we’ll provide further details as the story progresses.

Via 9to5Mac, PCWorld and FireEye

Recent Posts