XcodeGhost is a malware on Apple’s iOS appeared in September 2015. Chinese cybercriminals exploited the fact that official Xcode developer’s kit, almost 3 GB, take long time to be downloaded by Apple’s servers. They offered an easier and faster way to download the Xcode package from cloud file sharing service Baidu. However the offered version proved to be the malicious XcodeGhost as the Chinese cybercriminals planted malware in the original Xcode package. The malware didn’t show off in the developer’s computer but it indirectly infected all the applications compiled with the XcodeGhost compiler. Consequently it made it to the App store and it was detected in more than 300 apps. Infected applications sent information to the XcodeGhost command and control servers (CnC) through http protocol. Additionally according to paloalto security company ([1], [2]) XcodeGhost could be used for phishing passwords by prompt deceptive alert dialog with built-in remote control functionalities. Apple responded quickly to this threat and on 22th of September announced [3] that the infected apps were removed from the App Store. Also pointed out that Xcode should be directly downloaded from Apple and that in other case the package should be assessed for its validity with the «spctl –assess –verbose /Applications/Xcode.app» terminal command on a Gatekeeper enabled system.
However the XcodeGhost threat seems persistent. Quite some time after the disclosure of the threat, some users are sticked to the old infected versions of the apps and the iOS. Additionally, having developers, who had the malicious XcodeGhost version, refresh and validate their Xcode installation is not enough. Most of the developers use third-party components in their programs which can be considered a risk as they cannot be sure if the third-party libraries or sub-programs are infected or not.
Moreover the Fireeye security company [4] monitored customers’ networks and came in some interesting deductions: XcodeGhost has entered into U.S. enterprises and a variant of XcodeGhost is around. In only a month time, 210 enterprises were found to be infected that generated 28.000 attempts to connect to XcodeGhost CnC. Enterprises’ efforts to block the XcodeGhost DNS query inside their networks in order to prevent communication between iPhones and CnCs is not effective when their users are outside their domain.
Besides FireEye identified a new version of malware called XcodeGhost S. XcodeGhost S intends to infect iOS 9 applications and allow them to bypass Apple’s detection. Specifically Apple in a new approach introduced in iOS 9 has made obligatory the use of secure connections through https. This breaks the communications of XcodeGhost infected apps with its CnCs servers that use http. To circulate this problem cybercriminals used an Apple’s feature that allows developers to add exceptions in app’s configuration files (info.plist) to allow http connections. Moreover new XcodeGhost malware concatenates character by character the strings to bypass a simple detection scheme.
Unfortunately there is no feature provided by Apple that automatically inspects iOS devices for XcodeGhost malware. Though SANS researchers [6] suggested that end users should check applications’ logs for suspicious http traffic to «http://init.icloud-analysis.com» and the IP addresses 52.2.85.22, 52.4.74.88, 52.6.167.64, 52.68.131.221, 104.238.125.92.
[1] XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps – paloalto networks
[2] More Details on the XcodeGhost Malware and Affected iOS Apps – paloalto networks
[3] https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html – FireEye
[4] https://developer.apple.com/news/?id=09222015a – Apple Developer
[5] https://nakedsecurity.sophos.com/2015/11/09/apples-xcodeghost-malware-still-in-the-machine/
[6] https://isc.sans.edu/diary/Detecting+XCodeGhost+Activity/20171 – SANS ISC InfoSec Forums