The iOS/App Store malware nicknamed XcodeGhost appears to have involved more compromised apps than initially believed–as many as 4,000, depending on which security site you ask.
FireEye claims to have identified more than 4,000 apps on the App Store, while Appthority found close to 500.
That’s all bad news, especially since the original report claimed that only a few dozen apps were affected.
It appears that Apple didn’t store the 3 GB Xcode software that used to develop all App Store apps on domestic servers in China. This meant that Chinese app developers were forced to download the huge software over what was effectively a very slow connection.
The creators took a standard Xcode installation and modified it to insert nefarious code into all apps developed with it, and then uploaded it to a file sharing site in China. App developers could then download the file at a much higher speed–that’s how it spread to so many developers. The author has reportedly apologized for the “experiment.”
Apple has since indicated that it will begin offering Xcode downloads from servers within China, plus adding more verification checks to apps uploaded to the App Store to ensure that they don’t carry the malware.
There’s also good news from the security firms analyzing the affected apps. According to Appthority, the malware doesn’t seem to be nearly as dangerous as first thought, going so far as to call it more adware than malware.
“The actual impact to device and enterprise security is surprisingly low–at least compared to this particular attack vector, distribution, and the potentially technical facilities.
“The identified versions of XcodeGhost actually behaved more like adware or tracking frameworks rather than malicious malware, and we don’t see it as an immediate security threat. But that example proved that it is possible to create code to infect multiple popular App Store apps and get through the App Store review process.”
It appears that affected apps could speak to a command-and-control server, and then they could receive a number of different commands, including opening an App Store page or a URL (which could then theoretically be used to try to phish passwords or other information from unsuspecting users–or just go back to sleep before checking in again at another time).
It would not access the clipboard or display login prompts or alerts on its own. The only way to launch a phishing attack would be to open a URL to a malicious website.
At the time of this writing, Apple is in the process of removing affected apps from the store. It appears that the actual damage from the code was fairly minimal, but it makes for a good lesson that not even Apple’s walled garden is impervious to security threats.
Always remember to download software from only authorized sources, and make sure that all devices at your company are running the latest and most secure versions of the operating system.
What other steps does your organization take to protect mobile devices and company information? Let us know in the discussion thread below.