Anti-Malware , Technology

Apple Malware Outbreak: Infected App Count Grows

List of Top 25 Infected Apps Will Help iOS Users Mitigate Risks, Apple Promises
Apple Malware Outbreak: Infected App Count Grows

The number of apps infected in the first large-scale Apple App Store malware outbreak is far higher than was first believed, according to the cybersecurity firm FireEye, which reports that at least 4,000 apps were infected with XcodeGhost malware (see Apple Battles App Store Malware Outbreak).

See Also: Disrupt Attack Campaigns with Network Traffic Security Analytics

In the wake of the discovery of a six-month malware campaign last week, early estimates were that dozens of apps had been infected with the XcodeGhost malware, which could be used by attackers to steal data from devices, including users' Apple passwords, as well as launch phishing attacks.

But FireEye now reports that the number of infected iOS apps is far higher than researchers initially suspected. "Immediately after learning of XcodeGhost, FireEye Labs identified more than 4,000 infected apps on the App Store," the company says in a Sept. 22 blog post.

Apple did not respond to a request for comment on that report and has so far declined to respond to questions about how many apps may have been infected.

FireEye has not released a full list of all infected apps, but spokeswoman Darshna Kamani tells Information Security Media Group that most of them are aimed at Chinese-language users. Previous reports, meanwhile, had warned that such popular apps as the WeChat messaging app and the Didi ride-hailing app were infected, and that infected apps were used not just by Chinese users, but globally.

The malware attack was perpetrated by attackers offering for download a pirated version of Apple's free Xcode software - which is used to build iOS and Mac OS X applications - that added malware to every app when it was compiled. An anonymous developer has claimed credit for the attack campaign, saying it was a "mistaken experiment," although numerous security experts have dismissed that claim.

Apple Squashes Bad Apps

Apple says that it has seen no evidence that any personal information was compromised. The company says it has been excising all apps that were built using a malicious version of Xcode and working with developers to ensure that they only use the official Xcode tool.

"We have no information to suggest that the malware has been used to do anything malicious or that this exploit would have delivered any personally identifiable information had it been used," Apple says in an XcodeGhost FAQ. "We're not aware of personally identifiable customer data being impacted and the code also did not have the ability to request customer credentials to gain iCloud and other service passwords. ... Malicious code could only have been able to deliver some general information such as the apps and general system information."

But other security firms have warned that the malware could have been used for malicious purposes. "XcodeGhost is reported to be the first instance of the iOS App Store distributing a large number of trojanized apps," FireEye says. "The malicious apps steal device and user information and send stolen data to a command and control server. These apps also accept remote commands, including the ability to open URLs sent by the [C&C] server. These URLs can be phishing webpages for stealing credentials, or a link to an enterprise-signed malicious app that can be installed on non-jailbroken devices."

Chinese social media and gaming giant - and WeChat developer - TenCent published a report on Sept. 20 warning that the malware could be used to remotely control devices and launch man-in-the-middle attacks against users. It also found that at least 76 of the top 5,000 apps in Apple's China app store were infected with XcodeGhost.

In its XcodeGhost FAQ, Apple has listed the top 25 most popular infected apps - which include WeChat, Didi, Railroad 12306, Baidu Music and NetEase Music - noting that "after the top 25 impacted apps, the number of impacted users drops significantly." It has also promised to make it easier - and quicker - for Chinese developers to download Xcode, because the difficulty of obtaining the official software reportedly drove developers to obtain it from non-official sources.

China is a massive and growing market for Apple, accounting for $13.2 billion in revenue in its last financial quarter, compared to $20.2 billion in the United States and $10.3 billion in Europe. In January 2014, Apple reported that Chinese developers had already launched 130,000 apps via Apple's app store.

Before this malware attack, only five malicious apps had ever successfully made it into the App Store, according to cybersecurity firm Palo Alto Networks.

Timeline: XcodeGhost Discovery

On Sept. 14, China's Computer Emergency Response Team issued a warning about the danger of using unofficial versions of Xcode. Just days later, Chinese researchers began reporting that at least a handful of apps had been infected with XcodeGhost malware, after which the count of infected apps has continued to skyrocket.

On Sept. 20, the XcodeGhost-Author account-holder on China's Weibo social media platform claimed credit for the malware campaign, saying the ability to trojanize the Xcode software had been an "accidental discovery," and that it had been distributed as "a one-time, mistaken experiment" to see if it could be used to push advertisements to infected devices, The Wall Street Journal reports.

The message claimed that the capability had never been exploited and noted that the malware was only ever designed to collect basic user and device data. "And 10 days ago, I actively shut down the server and deleted all the data, so it will not have any effect on anyone," it said.

While it is impossible to verify those claims, many security experts have dismissed them, saying the attacker's intentions were obviously nefarious. "The entire process was plotted and planned," mobile Internet security expert Lin Wei told China Central Television, pointing to a campaign that used multiple Internet accounts to make the software available - via multiple websites - over a six-month period, The Wall Street Journal reports.

Recommendation: Uninstall Apps

Pending updates from every developer that shipped an infected app, information security experts recommend that users uninstall all apps that were known to be infected. "Developers are releasing updated, clean versions of their apps. The best fix, if one of your apps is listed, is to uninstall it," says Lee Neely, a senior IT and security professional at the U.S. Department of Energy's Lawrence Livermore National Laboratory, in a recent SANS Institute newsletter.

Neely says that both iOS developers and Apple are to blame for the XcodeGhost malware outbreak. "This malware made it into the Apple App store due to social engineering of developers and a shortfall of Apple's code review process," he says. "When you own the compiler/IDE [integrated code environment], you own the apps created with it."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network