A few days ago principal security firm reported the first major cyber attack on the official Apple App Store, thousands of legitimate applications were infected by the XCodeGhost Malware. Apple announced it is cleaning up the official iOS App Store to remove malicious iPhone and iPad applications, the company confirmed that this is the first large-scale attack on the official store that evaded the stringent app review process of the company.
“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple spokeswoman Christine Monaghan said in an email. “We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”
The cyber attack was reported by several cyber security firms that detected a malicious program dubbed XcodeGhost that was used to “trojanize” hundreds of legitimate apps. The researchers confirmed that the attackers have infected several apps, including the popular mobile chat app WeChat and the music app from the Internet portal NetEase.
Despite the prompt response of the Apple security team, the infection is increasing exponentially, the security firm FireEye detected more than 4,000 infected apps in the App Store.
“Immediately after learning of XcodeGhost, FireEye Labs identified more than 4,000 infected apps on the App Store. FireEye has since updated detection rules in its NX and Mobile Threat Prevention (MTP) products to detect the malicious apps and their activity on a network. FireEye NX customers are alerted if an employee uses an infected app while the iOS device is connected to the corporate network.” states FireEye.
Attackers embedded the malicious code in the apps by deceiving developers and tricking them into use a bogus version of the Apple Xcode.
“The hackers embedded the malicious code in these apps by convincing developers of legitimate software to use a tainted, counterfeit version of Apple’s software for creating iOS and Mac apps, which is known as Xcode, Apple said.” reported the Reuters.
Now rumors on the Internet are linking the attack based in XcodeGhost to operations conducted by the CIA (Central Intelligence Agency).
The XcodeGhost is used by hackers to take over the victim’s mobile device, it is able to steal credentials, Hijack user’s traffic, and steal iCloud passwords from the device.
The attack method implemented by the XCodeGhost is similar to the one developed by the experts at the Central Intelligence Agency (CIA) which was reported by The Intercept in March 2015.
The report, published by The Intercept, is based on documents leaked by Edward Snowden, it described the effort of the US intelligence in exploiting the Xcode as a vector of infection. The US Intelligence was able to use it to establish a backdoor into iOS apps avoiding any control.
Every app built with the bogus version of Xcode were able to spy on users.
“The security researchers also claimed they had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple’s App Store.The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could “force all iOS applications to send embedded data to a listening post.” It remains unclear how intelligence agencies would get developers to use the poisoned version of Xcode.” states an excerpt from the report published by The Intercept.
The description matches with the XCodeGhost attack, of course, these are just assumptions, but many security experts consider plausible the entire story.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(Security Affairs – XCodeGhost Attack, Apple)