Palo Alto Networks researchers recently warned of new OS X and iOS malware called XcodeGhost, which has been repackaged into some versions of Xcode installers, which were then uploaded to file sharing services for use by Chinese iOS and OS X developers.
“The malware has exposed a very interesting attack vector, targeting the compilers used to create legitimate apps,” Palo Alto Networks security researcher Claud Xiao wrote in a blog post examining XcodeGhost. “This technique could also be adopted to attack enterprise iOS apps or OS X apps in much more dangerous ways.”
Because the standard Xcode installer is almost 3GB in size and network speeds in China can be very slow when downloading from Apple’s servers, Xiao noted, some Chinese developers choose to get the package from other sources.
In a followup post, Xiao reported that iOS apps on the Apple App Store with hundreds of millions of users worldwide were infected, including WeChat, the business card scanner CamCard, Railway 12306 (the official app for purchasing train tickets in China), and China Unicom Mobile Office (used by China’s largest mobile carrier).
A list of apps known to have been infected is available here.
The malware collects information on infected devices and uploads it to command and control servers. It’s also capable of creating a fake alert dialog to phish user credentials, hijacking specific URLs, and reading and writing data in the user’s clipboard.
In one case, Xiao noted, XcodeGhost has been used to launch phishing attacks that ask users of infected devices to enter their iCloud passwords. “When people use apps like 1Password to manage their passwords in iOS, they often open 1Password, copy the stored password to system clipboard, then open the app they want to use and paste the password to the login window,” he wrote. “At this moment, a malicious app can directly read the password from system clipboard.”
Cigital software security consultant Paco Hope told eSecurity Planet that XcodeGhost unfortunately demonstrates the problem with analyzing apps after they’re built or deployed. “Secure software begins earlier, like when it is designed and developed,” he said.
“And there are no silver bullets — no tools that simply take care of the problem so that the people don’t need to do it themselves,” Hope added. “It is important to incorporate security throughout the development process, right down to the provenance and selection of the development toolchain itself.”
Recent eSecurity Planet articles have examined the importance of manual penetration testing as a key part of application development, and looked at 14 ways to integrate security into the app development process.