XcodeGhost

XcodeGhost (and variant XcodeGhost S) are modified versions of Apple's Xcode development environment that are considered malware.[1] The software first gained widespread attention in September 2015, when a number of apps originating from China harbored the malicious code.[2] It was thought to be the "first large-scale attack on Apple's App Store",[3] according to the BBC. The problems were first identified by researchers at Alibaba, a leading e-commerce firm in China.[3] Over 4000 apps are infected, according to FireEye, far more than the 25 initially acknowledged by Apple,[4] including apps from authors outside China.

Security firm Palo Alto Networks surmised that because network speeds were slower in China, developers in the country looked for local copies of the Apple Xcode development environment, and encountered altered versions that had been posted on domestic web sites. This opened the door for the malware to be inserted into high profile apps used on iOS devices.[5][6]

Even two months after the initial reports, security firm FireEye reported that hundreds of enterprises were still using infected apps and that XcodeGhost remained "a persistent security risk".[7][8] The firm also identified a new variant of the malware and dubbed it XcodeGhost S; among the apps that were infected were the popular messaging app WeChat and a Netease app Music 163.[9]

Discovery

On September 16, 2015, a Chinese iOS developer mentioned[10] on the social network Sina Weibo that a malware in Xcode injects third party code into apps compiled with it.

Alibaba researchers then published[11] detailed information on the malware and called it XcodeGhost.

On September 17, 2015, Palo Alto Networks published several reports on the malware.[12][13][14][15]

Operation

Propagation

Because of the slow download speed from Apple servers, Chinese iOS developers would download Xcode from third party websites, such as Baidu Yun (now called Baidu WangPan), a cloud storage service hosted by Baidu, or get copies from co-workers. Attackers took advantage of this situation by distributing compromised versions on such file hosting websites.[16]

Palo Alto Networks suspects that the malware was available in March 2015.[15]

Attack vector

Origins

Leaked document from Edward Snowden. "Strawhorse: Attacking the MacOS and iOS Software Development Kit".

The attacker used a compiler backdoor attack. The novelty of this attack is the modification of the Xcode compiler. According to documents leaked by Edward Snowden, CIA security researchers from Sandia National Laboratories claimed that they "had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool."[17]

Modified files

Known versions of XcodeGhost add extra files[12] to the original Xcode application:

  • Core service framework on iOS, iOS simulator and macOS platforms
  • IDEBundleInjection framework added on iOS, iOS simulator and macOS platforms

XcodeGhost also modified the linker to link the malicious files[15] into the compiled app. This step is reported on the compiling log but not on the Xcode IDE.

Both iOS and macOS apps are vulnerable to XcodeGhost.

Deployment

XcodeGhost compromised the CoreServices layer, which contains highly used features and frameworks used by the app.[18] When a developer compiles their application with a compromised version of Xcode, the malicious CoreServices are automatically integrated into the app without the developer's knowledge.

Then the malicious files will add extra code in UIWindow class and UIDevice class. The UIWindow class is "an object that manages and coordinates the views an app displays on a device screen".[19]

The UIDevice class provides a singleton instance representing the current device. From this instance the attacker can obtain information about the device such as assigned name, device model, and operating-system name and version.[20]

Behavior on infected devices

Remote control security risks

XcodeGhost can be remotely controlled via commands sent by an attacker from a Command and control server through HTTP. This data is encrypted using the DES algorithm in ECB mode. Not only is this encryption mode known to be weak, the encryption keys can also be found using reverse engineering. An attacker could perform a man in the middle attack and transmit fake HTTP traffic to the device (to open a dialog box or open specific app for example).

Stealing user device information

When the infected app is launched, either by using an iPhone or the simulator inside Xcode, XcodeGhost will automatically collect device information such as:

  • Current time
  • Current infected app's name
  • The app's bundle identifier
  • Current device's name and type
  • Current system's language and country
  • Current device's UUID
  • Network type

Then the malware will encrypt those data and send it to a command and control server. The server differs from version to version of XcodeGhost; Palo Alto Networks was able to find three server URLs:

  • http://init.crash-analytics.com
  • http://init.icloud-diagnostics.com
  • http://init.icloud-analysis.com

The last domain was also used in the iOS malware KeyRaider.[12]

Read and write from clipboard

XcodeGhost is also able, each time an infected app is launched, to store the data written in the iOS clipboard. The malware is also able to modify this data. This can be particularly dangerous if the user uses a password management app.

Hijack opening specific URLs

XcodeGhost is also able to open specific URLs when the infected app is launched. Since Apple iOS and macOS work with Inter-App Communication URL mechanism[21] (e.g. 'whatsapp://', 'Facebook://', 'iTunes://'), the attacker can open any apps installed on the compromised phone or computer, in the case of an infected macOS application. Such mechanism could be harmful with password management apps or even on phishing websites.

Prompting alert dialog

In its current known version XcodeGhost cannot prompt alert dialogs on the user device.[15] However, it only requires minor changes.

By using a UIAlertView class with the UIAlertViewStyleLoginAndPasswordInput property, the infected app can display a fake alert dialog box that looks like a normal Apple ID user credential check and send the input to the Command and control server.

Infected apps

Among all the Chinese apps, IMs app, banking apps, mobile carrier's app, maps, stock trading apps, SNS apps and games were infected. Popular apps used all over the world were also infected such as WeChat, a popular instant messaging app, CamScanner, an app to scan document using the smartphone camera or WinZip.

Pangu Team claimed that they counted 3,418 infected apps.[22]

Fox-it, a Netherland-based security company reports that they found thousand of malicious traffic outside China.[23][24]

Removal

Neutralizing command and control servers and compromised versions of Xcode

Since the article of Alibaba and Palo Alto Networks, Amazon took down all the servers that were used by XcodeGhost. Baidu also removed all malicious Xcode installers from its cloud storage service.

Removing malicious apps from the App Store

On September 18, 2015 Apple admitted the existence of the malware and began asking all developers with compromised apps to compile their apps with a clean version of Xcode before submitting them for review again.

Pangu Team released a tool[25] to detect infected apps on a device, but like other antivirus apps, it will not run on a device that has not been jailbroken. Apple does not allow antivirus apps into the iOS App Store.[26]

Checking Xcode version

Apple advises Xcode developers to verify[27][28] their version of Xcode and to always have Gatekeeper activated on their machine.

References

  1. ^ Dan Goodin (September 21, 2015). "Apple scrambles after 40 malicious "XcodeGhost" apps haunt App Store". Ars Technica. Retrieved 2015-11-05.
  2. ^ Joe Rossignol (September 20, 2015). "What You Need to Know About iOS Malware XcodeGhost". macrumors.com. Retrieved 2015-11-05.
  3. ^ a b "Apple's App Store infected with XcodeGhost malware in China". BBC News. 2015-09-21. Retrieved 2016-09-22.
  4. ^ "Protecting Our Customers from XcodeGhost". FireEye. Retrieved 9 November 2021.
  5. ^ Byford, Sam (September 20, 2015). "Apple removes malware-infected App Store apps after major security breach". The Verge. Retrieved 2015-11-05.
  6. ^ James Temperton (September 21, 2015). "Apple App Store hack: XcodeGhost attack strikes China (Wired UK)". Wired UK. Retrieved 2015-11-05.
  7. ^ Kirk, Jeremy (November 4, 2015). "Many US enterprises still running XcodeGhost-infected Apple apps, FireEye says". InfoWorld. Retrieved 2015-11-05.
  8. ^ Ben Lovejoy (November 4, 2015). "A modified version of XcodeGhost remains a threat as compromised apps found in 210 enterprises". 9to5Mac. Retrieved 2015-11-05.
  9. ^ Yong Kang; Zhaofeng Chen; Raymond Wei (3 November 2015). "XcodeGhost S: A New Breed Hits the US". FireEye. Retrieved 2015-11-05. XcodeGhost S: A New Breed Hits the US
  10. ^ "First mention of XcodeGhost on SinaWeibo". Sina Weibo. September 17, 2015. Retrieved 2015-11-11.
  11. ^ "Xcode编译器里有鬼 – XcodeGhost样本分析-安全漏洞-安全研究-阿里聚安全". jaq.alibaba.com. Archived from the original on 2016-04-19. Retrieved 2015-11-11.
  12. ^ a b c Claud Xiao (September 17, 2015). "Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store - Palo Alto Networks Blog". Palo Alto Networks Blog. Retrieved 2015-11-11.
  13. ^ Claud Xiao (September 18, 2015). "Malware XcodeGhost Infects 39 iOS Apps, Including WeChat, Affecting Hundreds of Millions of Users - Palo Alto Networks Blog". Palo Alto Networks Blog. Retrieved 2015-11-11.
  14. ^ Claud Xiao (September 18, 2015). "Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps - Palo Alto Networks Blog". Palo Alto Networks Blog. Retrieved 2015-11-11.
  15. ^ a b c d Claud Xiao (September 21, 2015). "More Details on the XcodeGhost Malware and Affected iOS Apps - Palo Alto Networks Blog". Palo Alto Networks Blog. Retrieved 2015-11-11.
  16. ^ Thomas Fox-Brewster (September 18, 2015). "Hackers Sneak Malware Into Apple App Store 'To Steal iCloud Passwords'". Forbes. Retrieved 2015-11-11.
  17. ^ Jeremy Scahill; Josh Begley (March 10, 2015). "The CIA Campaign to Steal Apple's Secrets". The Intercept. Retrieved 2015-11-11.
  18. ^ "Core Services Layer". developer.apple.com. Retrieved 2015-11-11.
  19. ^ "UIWindow Class Reference". developer.apple.com. Retrieved 2015-11-11.
  20. ^ "UIDevice Class Reference". developer.apple.com. Retrieved 2015-11-11.
  21. ^ "Inter-App Communication". developer.apple.com. Retrieved 2015-11-11.
  22. ^ "Pangu Team on Weibo". September 21, 2015. Retrieved 2015-11-11.
  23. ^ "Combined research Fox-IT and Palo Alto Networks revealed popular apps infected with malware". Fox-it. September 18, 2015. Archived from the original on 2016-08-12. Retrieved 2015-11-11.
  24. ^ Thomas, Brewster (Sep 18, 2015). "Hackers Sneak Malware Into Apple App Store 'To Steal iCloud Passwords'". Forbes. Archived from the original on Nov 25, 2016.
  25. ^ "Xcode病毒检测, XcodeGhost病毒检测 - 盘古越狱". x.pangu.io. Retrieved 2015-11-11.
  26. ^ Haslam, Karen. "Why the iOS app XcodeGhost exploit shouldn't concern you". Macworld UK. Retrieved 2017-09-24.
  27. ^ "有关 XcodeGhost 的问题和解答". Apple. Archived from the original on November 14, 2015. Retrieved June 17, 2016.
  28. ^ "Validating Your Version of Xcode - News and Updates - Apple Developer". developer.apple.com. Retrieved 2015-11-11.

Read other articles:

تفجيرات مسجدي بدر والحشوش بصنعاء

  هذه المقالة عن تفجيرات مسجدي بدر والحشوش في مارس 2015. لمواضيع مشابهة، طالع تفجيرات صنعاء (توضيح). تفجيرات مسجدي البدر والحشوش بصنعاء   جزء من الأزمة اليمنية (2011-الآن) المعلومات البلد اليمن  الموقع صنعاء، اليمن الإحداثيات 15°20′32″N 44°10′43″E / 15.3422°N 44.1785°E...

 

 

Синелобый амазон

Синелобый амазон Научная классификация Домен:ЭукариотыЦарство:ЖивотныеПодцарство:ЭуметазоиБез ранга:Двусторонне-симметричныеБез ранга:ВторичноротыеТип:ХордовыеПодтип:ПозвоночныеИнфратип:ЧелюстноротыеНадкласс:ЧетвероногиеКлада:АмниотыКлада:ЗавропсидыКласс:Пт�...

 

 

Zulip

Open source chat and collaboration software ZulipScreenshot of the Zulip web interfaceOriginal author(s)Jeff Arnold, Waseem Daher, Jessica McKellar, and Tim AbbottDeveloper(s)Kandra Labs, Inc.[1]Initial release2012Stable release8.3 / March 19, 2024; 38 days ago (2024-03-19)[2] Repositorygithub.com/zulip/zulip Written inPython, JavaScript (web frontend), React Native (iOS and Android), Electron (desktop apps)Operating systemWindows, macOS, Linux, iOS, AndroidT...

Lincoln catafalque

Support for the casket of Abraham Lincoln while his body lay in state This article includes a list of references, related reading, or external links, but its sources remain unclear because it lacks inline citations. Please help improve this article by introducing more precise citations. (August 2012) (Learn how and when to remove this message) The Lincoln catafalque on display (2007) The Lincoln catafalque is a catafalque hastily constructed in 1865 to support the casket of Abraham Lincoln wh...

 

 

Ludovic Halévy

Pour les articles homonymes, voir Halévy. Pour les autres membres de la famille, voir Famille Halévy. Ludovic HalévyLudovic Halévy photographié par Paul Nadar en 1896.FonctionFauteuil 22 de l'Académie française4 décembre 1884 - 7 mai 1908Joseph d’HaussonvilleEugène BrieuxBiographieNaissance 1er janvier 1834Ancien 10e arrondissement de ParisDécès 7 mai 1908 (à 74 ans)1er arrondissement de ParisSépulture Cimetière de MontmartreNationalité françaiseFormation Lycée L...

 

 

Google Cardboard

Google Cardboard assemblé Le Google Cardboard est un casque de réalité virtuelle fonctionnant à l'aide d'un smartphone compatible. Il fut développé par Google et lancé en 2014. Le masque permet principalement de visualiser des images de réalité virtuelle générées par des applications spécifiques ainsi que des vidéos et prises de vues en 360 degrés. Historique Le Google Cardboard est à l'origine l'idée de deux Français[1] : David Coz et Damien Henry, salariés au Google ...

Toki o Kakeru Shōjo (1994 TV series)

TV series or program Toki o Kakeru ShōjoVHS CoverAlso known asThe Girl Who Leapt Through TimeCreated byYasutaka TsutsuiWritten byRyōichi KimizukaDirected byMasayuki OchiaiYuichi SatoStarringYuki UchidaComposerJoe HisaishiNo. of episodes5Original releaseNetworkFuji TelevisionReleaseFebruary 19 (1994-02-19) –March 19, 1994 (1994-03-19) Toki o Kakeru Shōjo (時をかける少女, lit. The Girl Who Runs Through Time) is the second live-action television adaptation of the nove...

 

 

The Queen Victoria

Fictional pub in the television series EastEnders This article is about the fictional public house. For other uses, see Queen Victoria (disambiguation). Queen Vic redirects here. For the market in Melbourne, Australia, see Queen Victoria Market. This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages) This article may be written from a fan's point of view, rather than a neutral point of view. Plea...

 

 

Harae

Shinto purification ritual Part of a series onShinto Beliefs Kami List of deities Polytheism Animism/Animatism Mythology Sacred objects Sects and schools Major kami Amaterasu Ame-no-Uzume Inari Izanagi Izanami Susanoo Tsukuyomi Important literature Kojiki (c. 711 CE) Nihon Shoki (720 CE) Fudoki (713–723 CE) Shoku Nihongi (797 CE) Kogo Shūi (807 CE) Kujiki (807–936 CE) Engishiki (927 CE) Shinto shrines List of Shinto shrines Ichinomiya Twenty-Two Shrines Modern system of ranked Shin...

Iconsiam

Mixed-use development in Bangkok, Thailand ICONSIAMไอคอนสยามICONSIAM seen from Chao Phraya RiverLocation299 Charoen Nakhon Soi 5, Charoen Nakhon Road, Khlong San, Bangkok, Thailand 10600Coordinates13°43′36″N 100°30′38″E / 13.726690°N 100.510498°E / 13.726690; 100.510498Opening date9 November 2018; 5 years ago (2018-11-09) (Iconsiam)11 January 2023; 17 months ago (2023-01-11) (ICS)Owner Siam Piwat MQDC Ma...

 

 

The Peninsula Beijing

Building in Wangfujing, BeijingThe Peninsula Beijing王府半岛酒店The hotel façadeFormer namesThe Palace Hotel, The Peninsula Palace HotelGeneral informationAddress8 Goldfish Lane, Wangfujing, Beijing, 100006Coordinates39°54′49″N 116°24′37″E / 39.9135567°N 116.4101712°E / 39.9135567; 116.4101712Opened1989OwnerHongkong and Shanghai HotelsTechnical detailsFloor count14Other informationNumber of rooms230Number of restaurants3Websitewww.peninsula.com/en/be...

 

 

Basketball (ball)

Inflated ball used for basketball games A typical basketball A basketball is a spherical ball used in basketball games. Basketballs usually range in size from very small promotional items that are only a few inches (some centimeters) in diameter to extra large balls nearly 2 feet (60 cm) in diameter used in training exercises. For example, a youth basketball could be 27 inches (69 cm) in circumference, while a National Collegiate Athletic Association (NCAA) men's ball would be a max...

أعيان الزمان وجيران النعمان في مقبرة الخيزران (كتاب)

أعيان الزمان وجيران النعمان في مقبرة الخيزران أعيان الزمان وجيران النعمان  المؤلف وليد الأعظمي  اللغة العربية  تاريخ النشر 2001  الموضوع علم التراجم  تعديل مصدري - تعديل   أعيان الزمان وجيران النعمان في مقبرة الخيزران، وهو من أشهر الكتب في تراجم أهل بغداد ممن ...

 

 

MATADOR

Shoulder-launched anti-armour and anti-brickwall weapon For the cruise missile, see MGM-1 Matador. MATADOR TypeRecoilless gunPlace of originGermanyIsraelSingaporeService historyIn service2000–presentUsed bySee OperatorsWars Gaza War Russo-Ukrainian War  • Russian invasion of Ukraine 2023 Israel-Hamas warProduction historyDesignerSingapore Armed Forces,Rafael Advanced Defense Systems, Defence Science and Technology AgencyDesigned1999ManufacturerDynamit Nob...

 

 

Steven Rales

Rales nel 2016 Oscar al miglior cortometraggio 2024 Steven M. Rales (Bethesda, 31 marzo 1951) è un imprenditore e produttore cinematografico statunitense, ha fondato nel 1984, insieme al fratello Mitchell Rales, la Danaher Corporation di cui è anche presidente. Rales ha anche fondato nel 2006 la società di produzione cinematografica Indian Paintbrush che lavora a stretto contatto con il regista Wes Anderson. Miliardario, secondo Forbes il suo patrimonio netto è stimato nel giugno 2023 in ...

Keith Vaz

Former British Labour MP The Right HonourableKeith VazOfficial portrait, 2017Chairman of the Home Affairs Select CommitteeIn office26 July 2007 – 6 September 2016Preceded byJohn DenhamSucceeded byTim Loughton (acting)Minister of State for EuropeIn office9 May 1999 – 11 June 2001Prime MinisterTony BlairPreceded byGeoff HoonSucceeded byPeter HainMember of Parliamentfor Leicester EastIn office11 June 1987 – 6 November 2019Preceded byPeter BruinvelsSucceeded byCla...

 

 

洪州 (江西省)

洪州,隋朝时设置的州。 开皇九年(589年)置,因州治内有洪崖井得名。治所在豫章县(唐朝宝应初改为钟陵县,贞元中改名南昌县,即今江西省南昌市)。大业三年(607年)改为豫章郡,唐朝武德五年(622年)复为洪州。辖境相当今江西省修水、锦江、潦河等流域和赣江、抚河下游地。天宝元年(742年)复改豫章郡,乾元元年(758年)仍为洪州。 五代南唐交泰元年(958年...

 

 

Cộng hòa Xã hội chủ nghĩa Xô viết Litva

Cộng hòa Xã hội chủ nghĩa Xô viết Litva Tên bản ngữ Lietuvos Tarybų Socialistinė Respublika 1940–1990 Quốc kỳTrên: 1940–1953Dưới: 1953–1988 Quốc huy1940–1990 Tiêu ngữ: Visų šalių proletarai, vienykitės!(Vô sản toàn thế giới, đoàn kết lại!) Quốc ca: Tautiška giesmė(Bài thánh ca dân tộc)(1940–1950)Lietuvos Tarybų Socialistinės Respublikos himnas(Quốc ca Cộng hòa Xã hội chủ nghĩa Xô viết Lit...

1989 Chicago Cubs season

Major League Baseball team season 1989 Chicago CubsNational League East ChampionsLeagueNational LeagueDivisionEastBallparkWrigley FieldCityChicagoRecord93–69 (.574)Divisional place1st placeOwnersTribune CompanyGeneral managersJim FreyManagersDon ZimmerTelevisionWGN-TV/Superstation WGN(Harry Caray, Steve Stone, Dewayne Staats)RadioWGN(Dewayne Staats, Dave Nelson, Harry Caray)StatsESPN.comBB-reference ← 1988 Seasons 1990 → The 1989 Chicago Cubs season was the 118th...

 

 

Johan Willem Ripperda

Johan Willem Ripperda Johan Willem Ripperda (in spagnolo Juan Guillermo de Ripperdá, Barone e Duca di Ripperdá; Oldehove, 7 marzo 1684 – Tétouan, 5 novembre 1737) è stato un politico, diplomatico e avventuriero fiammingo naturalizzato spagnolo, segretario di Stato spagnolo nel biennio 1725-26. Stemma di famiglia Indice 1 Biografia 1.1 Origini 1.2 Ambasciatore dei Paesi Bassi a Madrid 1.3 Ambasciatore spagnolo a Vienna 1.4 Fine dell'avventura spagnola 1.5 Gli ultimi anni 2 Note 3 Bibliog...