XcodeGhost: has it compromised the iTunes App Store?

Various stories have appeared today claiming that Apple has had to removed ‘hundreds’ of iOS apps from the iTunes App Store, because they are malicious products infected with XcodeGhost. As is usual, there is some truth in that story, but it is not quite what it appears.

On 16 September 2015, new OS X and iOS malware was disclosed in China, and Alibaba security researchers posted analysis, dubbing it XcodeGhost. This was followed up by a further account on Palo Alto Networks the next day, 17 September.

What had happened was that a malicious version of Xcode, the software development kit used by most developers for OS X, iOS, and watchOS, had become available in China, from third-party (non-Apple) servers. Because of low transfer speeds, many legitimate developers in China download Xcode from unofficial (pirate) sources, rather than the Mac App Store.

The malicious version of Xcode, infected with what is now known as XcodeGhost, was then used to create many iOS apps, which themselves were infected. Many of those apps were then accepted by Apple for delivery by the iTunes App Store in China. Apps affected include WeChat, Didi Chuxing, Railway 12306 (the official app for purchasing railway tickets in China), China Unicom Mobile Office, and Tonghuashun: all major products in China, but essentially unheard of elsewhere.

Palo Alto Networks’ latest analysis is that the infected iOS apps are dangerous and harmful. The malicious code effectively turns the iOS device into a bot, capable of responding to commands to phish user information, hijack URLs, and access the user’s Clipboard. It is claimed that infected apps have already started trying to phish for usernames and passwords.

So as far as anyone can tell at the moment, all the malicious apps were placed in the iTunes App Store in China alone, and affected apps which are not offered by other regional versions of the iTunes App Store. Although the malicious version of Xcode has been used to generate OS X apps, none of those have yet been reported to be malware.

This is an unusual and – dare I say it – innovative technique for getting malware onto iOS devices. Clearly Apple is going to need to address this issue very quickly and robustly, if it is to retain credibility.

It is worth remembering that this is not the first time that one of Apple’s App Stores has been found distributing malware: significant previous cases have included LBTM, InstaStock, FindAndCall, and FakeTor. Other app stores have also had similar problems.

However there do not (yet) appear to be any grounds for users of other App Stores, outside China or for OS X, to feel threatened by this. To quote Clive Dunn in his wonderful role in the TV series Dad’s Army: “Don’t panic!” yet.