Earlier this week, Chinese developers disclosed new iOS malware called XcodeGhost on microblogging service Sina Weibo. Yesterday, security research company Palo Alto, confirmed the same and revealed that a number of apps in the Apple App Store were infected by the malware. Previously, Palo Alto has reported another malware called “KeyRaider” that affected jailbroken iOS devices.

Unlike previous iOS malwares found, XcodeGhost is the first malware that affects directly the Xcode compiler for it. Xcode is Apple’s official software development tool, whether for OS X or iOS apps.

XcodeGhost malware was spread when modified version of Apple’s Xcode compiler was uploaded to Baidu’s server in China. As China’s Apple servers are slow and the Xcode installer is a 3 GB installer, many of the Chinese developers downloaded the modified Xcode compiler thinking that it is a mirror download location of the original compiler and used it to build their apps.

When apps created using the modified version were submitted to Apple for review and some of them even passed the test and were made available to download through the App Store.

The malicious code inside these apps collect information of the devices on which they are installed and uploads it back to the control servers of the hackers. The collected information includes the current time, the infected app’s name, the UUID of the device, network type, and more.

Security research company, Palo Alto also confirms the existence of a dormant piece of code, which when activated remotely, will launch websites that will download additional malicious code, or generate pop-ups asking people for sensitive data.

Testing and scans from some security companies revealed that popular applications like WeChat, WinZip, and CamCard, which are used by millions of users are affected by the malware. Palo Alto reveals that in their initial testing, over 50 app are infected.  A Chinese security firm Qihoo360, claims that the number potentially reaches 344 apps.

The damage made by XcodeGhost has more far-reaching consequences beyond this single instance. Since enterprise iOS apps are distributed without App Store reviews, tainted apps can be more easily spread to employees’ iPhones. However, developers might not even need to download the infected Xcode installer to become unwilling malware carriers. XcodeGhost actually exploits a specific Xcode behavior that scans certain system directories for files to be included in building an app. This means that if the modified Xcode compiler is installed in one system then it can potentially compromise even a legit Xcode installation.

Apple confirmed the malware infection and revealed to Reuters that it has started cleaning the iOS App Store by removing applications that are infected by the XcodeGhost malware. Apple also said that it is working with developers to ensure they are using the legit version of Xcode.

We’ve removed the apps from the App Store that we know have been created with this counterfeit software.

We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.

Apple has not revealed any official information about how many users and apps are infected. It has also not provided any solution for users who already have the infected apps installed on their iPhone or iPad.

The reason why Apple has not provided any statistical data about the malware infection is not clear. However, it is estimated at over 500 million users are affected by this malware.

Apple has traditionally positioned its platforms as being more secure than Android or Windows. However, the size of this latest breach is unprecedented and if the number of users and apps infected were revealed will definitely put a dent in Apple’s claim on iOS as a secure OS.

Source: Palo Alto