Malware sneaks into the iOS App Store. What you need to know about XcodeGhost

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

AppleI heard that the iPhone App store got hacked – what happened?

No, the App Store didn’t get hacked. But that doesn’t mean that some users of the App Store didn’t have a problem.

Late last week, the Palo Alto Research blog (which is currently offline, perhaps because too many people are trying to reach it) described how unauthorised third parties had tampered with Apple’s Xcode software, a code library used by developers of Mac OS X and iOS applications.

The tampered file was published on the net (note: not on Apple’s own site) and some developers, particularly Chinese developers, downloaded that meddled-with file and used it to create their apps.

Sign up to our free newsletter.
Security news, advice, and tips.

Without realising that anything strange was afoot, the developers then uploaded those apps to the Apple App store, and the malicious code – known as XcodeGhost – managed to slip past Apple’s security checks.

The end result? The apps contained unauthorised code that could communicate with third parties details of your iOS device, and – according to one report – attempted to phish for iCloud passwords by displaying a bogus dialog box.

So, Apple wasn’t hacked. But it failed to spot that malicious code had entered its App Store.

What information do the malicious versions of the apps steal?

XcodeGhost gathers information from infected devices, including the current time, current infected app’s name, the app’s bundle identifier, the current device’s name and type, current system’s language and country, the current device’s UUID and network type.

In addition there are reports that some affected users may have been presented with phishing dialogs attempting to steal their iCloud usernames and passwords.

What apps were affected?

Most of the affected apps were designed for the Chinese market. However, some of them are more widely used worldwide such as WeChat – a major instant messaging app used by hundreds of millions of people worldwide.

Tencent, the developer of WeChat, has since issued an advisory announcing that it has released a fixed version of the app (versions 6.2.6).

WeChat advisory

Other apps said to be impacted by XcodeGhost include Angry Birds 2, Chinese taxi-hailing app Didi Chuxing, WinZip, and the Mercury browser.

So the only worry is for people who have downloaded affected apps from the iOS App Store?

Not quite. As I explain in a video, there are some iOS apps that never get uploaded to the official App Store.

XcodeGhost malware sneaks into the App Store, spooks millions of iOS users | Graham Cluley

For instance, big companies sometimes create custom apps for their staff’s mobile devices, and if these were compiled using the malicious version of Xcode then they could also pose a risk.

What has Apple done about it?

As The Guardian reports, Apple has removed the tainted apps that it knows about from the App Store and is “working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”

So why didn’t the app developers use the official version of Xcode, rather than one they found lying around on the net?

That seems a fair question. After all, if they had downloaded the library from Apple directly rather than a tampered version then their apps would not have become malicious.

At first you might imagine that the developers were keen to save money, and so downloaded the code from an unofficial source. But Apple gives away Xcode for free, so that’s not the reason. The explanation appears to be that poor connectivity between Chinese computers and Apple’s servers meant that some programmers chose to take a short cut and source the library from third-party sites.

It turns out that that was a big mistake.

What should I do about it?

The vast majority of people are likely to be unaffected by this incident. Chances are that you are more at risk if you are in the habit of running Chinese apps on your devices.

If you’re nerdy you might want to follow the advice from SANS to detect if your smartphone or tablet may have been affected by XcodeGhost.

You should always ensure that you are running the latest versions of apps on your iPhone or iPad. Furthermore, if you are feeling paranoid, it might make sense to change your iCloud password – ensuring, of course, that you are not using the same password anywhere else on the net.

What does this tell us about Apple security?

Actually it suggests that Apple’s security is pretty good! After all, this was quite a complicated way (trick the developers to compile a malicious version of their app) to get malware into the App Store.

Although this isn’t the first time that malicious code has reached the iOS App Store, it’s probably the most significant incident to date. To their credit, the iOS app store has a much much better track record than Google’s Android one for security.

Although potentially bad news for anyone who was running a tampered app, I’m not sure that Apple’s reputation is particularly tarnished by this. It’s the app developers who made the biggest blunder.

It’s now up to the app developers to rebuild them and re-upload them to Apple, using the correct version of Xcode of course.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.