XcodeGhost Malware Threatens iOS users, FireEye Warns
XcodeGhost malware remains a threat to iOS users, according to FireEye, the Milpitas, Calif.-based cyber security firm. In a Tuesday blog posting, FireEye noted that the threat remains despite the fact that Apple removed apps from the App Store and released more security features. The malware, despite Apple’s quick response, has been modified and the threat persists. iOS users learned of the threat just over a month ago.
FireEye found that XcodeGhost has entered U.S. enterprises and presents a security risk. The malware’s botnet remains partially active, and a variant called XcodeGhost S has gone undetected.
210 Enterprises Infected
FireEye monitored activity related to the malware for four weeks and found 210 enterprises have XcodeGhost-infected applications active in their networks. This generated over 28,000 attempts to connect to XcodeGhost command and control (CnC) servers. While not under attacker control, these servers remain vulnerable to hijacking.
FireEye has identified the top five countries the malware attempted to callback in a 4-week period: Netherlands 2%, France 3%, Japan 0.09%, U.S. 33%, and Germany 62%. (See Fig. 1).
The 210 infected enterprises include a range of industries: education, 65%, high-tech, 13%, Other, 9%, manufacturing, 4%, telecom, 2%, e-commerce, 1%, CPG retail, 1%, and financial services, 1%.
XcodeGhost CnC traffic can be hijacked to distribute apps outside of App Stores, force browse to URL, promote any App Store app by directly launching the download page, and pop-up phishing windows.
Top 20 Infected Apps Identified
FireEye identified the top 20 infected apps out of 152 apps (See figure 3.)
While most vendors have updated their App Store apps, users are still using infected versions. Distribution of infected apps varies. WeChat version 22.214.171.124 has a 2963 incident count for three weeks. Music 163 has incident counts for the following versions: 3084 for version 2.8.2, 2664 for version 2.8.3, and 1227 for version 2.8.1.
iPhones that are infected run iOS versions 6.x.x. to 9.x.x. FireEye urges its customers to update to the latest iOS 9 as fast as possible, as close to 70% of the victims in its customer base are on older iOS versions.
Employees Must Update Their Apps
Enterprises have attempted to block the malware’s DNS query within their networks to halt communication among employees’ iPhones and the attackers’ CnC servers. But until the employees update apps and devices, they remain vulnerable to XcodeGhost CnC traffic hijacking. The vulnerability is greater outside of the employees’ corporate networks.
FireEye has worked with Apple to remove XcodeGhost and XcodeGost S samples from the App Store.
The malware is planted in different Xcode versions, including Xcode 7 released for iOS 9 development. XcodeGhost S features have been added to bypass static detection and infect iOS 9.
Apple introduced the NSAppTransportSecurity approach for iOS 9 to enhance security for client-server connection. iOS9 only allows secure connections. Prior versions of the malware would not connect with the CnC server by using http. But Apple also permits developers to add exceptions in the app’s info plist to permit connection. The XcodeGhost S sample in one case reads the setting of NSAAllowsArbitraryLoads under the NSAppTransportSecurity entry in the info.plist and picks different CnC servers from this setting.
FireEye advises organizations to alert employees to the malware threat. Users should remove the apps that Apple has taken down and switch to other App Store apps.
FireEye provides visibility to customers of FireEye MTP management into the infected mobile devices in their deployment base. FireEye NX customers should review alert logs concerning the malware.
Images from Shutterstock and FireEye.