Popular iOS Apps Infected with Malware Made to the App Store – Steal Passwords and Exploit iOS Vulnerabilities


Apple is going through some rough days as new security flaws keep hitting the company's mobile and desktop operating systems. Earlier in the week, we shared why it was important to update to iOS 9 because of a serious vulnerability in iOS (and OS X) that could allow an attacker to hijack your devices using AirDrop file sharing service. While Apple has patched that particular issue in iOS, latest reports demonstrate another critical security flaw that has infected a number of popular apps hosted on the App Store.

Earlier this week, security researchers discovered XcodeGhost, first compiler malware in iOS and OS X, that modifies Apple's Xcode. XCode is the official tool for developers to create iOS and OS X apps and apparently many of the developers have downloaded the modified Xcode packages. This means there are many apps currently available in the App Store, including some very popular titles, that are infected and phishing user information.

While the security researchers at Palo Alto Networks earlier believed that there were only a few apps infected, mainly in China, they have now revealed a growing list of infected apps which includes WeChat, a massively popular messaging and social networking app and CamCard, the most popular business card reader and scanner.

How it all started...

When downloading large files, we often look for unofficial sources to get the download speeds going faster. Taking advantage of that, someone posted Xcode (infected with XcodeGhost) download links to multiple Chinese forums and websites, six months ago. Versions of Xcode from 6.0 to 7.0, including the beta versions, were shared on these sites and linked to Baidu, popular cloud based file sharing service (Baidu has now removed these malicious files). Those who search for third-party download sites for Xcode, ended up downloading the altered Xcode.

This added code is then used to collect data as the infected apps when executed "can be remotely controlled by the attacker to phish or exploit local system or app vulnerabilities”. Not only passwords and location details, but a lot more can be retrieved using the capabilities of XcodeGhost. Information collected through this malware is then uploaded to the command and control (C2) server. However, data collection is not the only purpose of this malware as detected by the research team today. Claud Xiao of Palo Alto Networks revealed that the malicious code "is capable of receiving commands from the attacker through the C2 server to perform" actions like:

  • Hijack specific URLs
  • Prompt fake alerts to phish user credentials
  • Read and write data which means the code can possibly read data like users' passwords especially those who use password management apps like 1Password.

According to one report, XcodeGhost has already been used to prompt fake alerts asking victims to input their iCloud passwords. "The techniques used in this attack could be adopted by criminal and espionage focused groups to gain access to iOS devices," Xiao explained, "we believe that stealing passwords or potentially exploiting vulnerabilities in iOS and in legitimate applications may be the true purpose of XcodeGhost."

Palo Alto Networks and other involved security firms are working with Apple to address the security vulnerabilities that the altered Xcode opens in iOS. However, this is not an end to the scheme as infected apps keep finding a way to be approved by the App Store. Let's see if Apple could further strengthen App Store's code review capabilities to reduce the chances of infected apps sneaking into the Store, posing some serious security concerns for users.

You can read the complete list of infected apps at Palo Alto Networks.