Late last week, Chinese iOS developers found a new iOS and OS X malware called ‘XcodeGhost’, which they revealed through Weibo (a.k.a China’s Twitter).
Unlike previous malware found for OS, XcodeGhost is the first malware that affects directly the Xcode compiler for it. However, it is iOS that has been greatly affected by this malware.
In a nutshell, a malicious version of the Xcode compiler was uploaded to Baidu’s server in China which was then download and used by Chinese developers to create their apps.
XcodeGhost exploits Xcode’s default search paths for system frameworks, and has successfully infected multiple iOS apps created by infected developers.
Worse, these apps were submitted to Apple for review and some of them even passed the test and were made available to download through the App Store. The malicious code inside these apps collect information of the devices on which they are installed and uploads it back to the control servers of the hackers. The collected information includes the current time, the infect app’s name, the UUID of the device, network type, and more. Additionally, it is also possible that the infected apps receive commands from the hackers, which is potentially more dangerous.
Testing and scans from some security companies revealed that popular applications like WeChat, WinZip, and CamCard are affected by it. At the time of writing this piece, 50+ iOS apps — some of which are incredibly popular in China and other countries — are affected by this malware and available for download through the App Store.
Palo Alto has written in detail about the XcodeGhost malware which can be found here. It has also informed developers of all the affected apps so that they can take immediate action regarding this.
As of writing of this article, WeChat has already been updated to v6.2.6 to remove the malicious code and Baidu has removed all the malicious Xcode files from its server. However, it is entirely possible that malware infected Xcode files again surface on the cloud-sharing service, which is why it is highly recommended that developers only download Xcode directly from Apple’s server.
You can find a list of all the infected iOS apps here. If you have any of the apps installed on your iOS device, it is highly recommended that you uninstall them for now and wait for them to be updated by their respective developers.
Update: You can check whether any of the apps on your device are infected by XcodeGhost malware or not using this tool from the Pangu team.[Via Palo Alto]