XcodeGhost Malware Infects over 4,000 iOS Apps

Security researchers have discovered that the malicious app campaign plaguing Apple’s App Store is far worse than initially thought, with over 4000 App store applications affected by the XcodeGhost malware.

It was less than a week ago when Apple suffered its first major malware attack targeting its App Store. At the time, it was believed that 39 applications were infected with malware. However, security researchers at FireEye have now detected more than 4,000 infected applications in the App Store.

The original estimate of 39 infected applications was detailed in a report by Palo Alto Networks. Despite the relatively small number, millions of users were vulnerable due to many popular applications that were among the infected in the list.

However, a new report released by cybersecurity firm FireEye has a staggering new claim. It read:

Immediately after learning of XcodeGhost, FireEye Labs identified more than 4,000 infected apps on the App Store.

XcodeGhost – The First Major Apple App Store Malware

The malicious hackers behind the malware found an ingenious way to circumvent Apple’s strict app approval process to introduce malware into the App Store – infect the very source of app development. The hackers tweaked Xcode, Apple’s iOS Software Development Environment (SDE). This tweaked version of Apple’s SDE was then promoted to various app developers via forums, message boards and other sharing platforms.

China’s notorious firewall makes it harder for users within the country to establish high-speed connections to servers outside the country. Developers proceeded to download bootlegged versions of the tweaked Xcode package that was laced with malware, unbeknownst to them. It was only a matter of time before malware-laced applications started showing up.

WeChat, a popular messaging app that is used hundreds of millions of users around the world released a statement in a blog post, saying:

A security flaw, caused by an external malware, was recently discovered affecting iOS users only on WeChat version 6.2.5. This flaw has been repaired and will not affect users who install or upgrade WeChat version 6.2.6 or greater, currently available on the iOS App Store.

After the initial reports of malware-infected applications in the App Store, Apple released an advisory to developers, stating:

We recently removed apps from the App Store that were built with a counterfeit version of Xcode, which had the potential to cause harm to customers.

Did Hackers Take a Cue from the CIA?

In a report published by the Intercept from March 2015, it was revealed that documents leaked by Edward Snowden point to evidence of CIA researchers finding a way to manipulate and tweak Xcode. The reason? To have developers design and make malware-laden applications without them knowing it.

Ryan Olson, director of threat intelligence for Unit 42 at Palo Alto Networks sees no reason for a coincidence.

“The timing of the release of the Intercept report (March 10, 2015) and the first upload of the malicious Xcode packages (March 23, 2015) suggests that attacker may have been inspired by this news,” Olson said.

The leaked information wasn’t really a blueprint for how to launch the attack, but it could have sparked the idea.

Image from Alexey Boldin / Shutterstock.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.