XcodeGhost gets updated, now hits also US users

The XcodeGhost threat is far from over, and iOS users are still in danger of unknowingly using apps infected with it, FireEye researchers have warned.

“After monitoring XcodeGhost related activity for four weeks, we observed 210 [US] enterprises with XcodeGhost-infected applications running inside their networks, generating more than 28,000 attempts to connect to the XcodeGhost Command and Control (CnC) servers – which, while not under attacker control, are vulnerable to hijacking by threat actors,” they noted.

These organizations/businesses operate in a wide range of industries, but most of them are in education, high-tech, manufacturing, and telecommunications. The CnC servers that the malicious apps try to connect to are located mainly in Germany and the US.

As you may remember, the XcodeGhost threat arises from the fact that someone has been planting malicious versions of Apple’s Xcode app building framework on Chinese developer forums. Apps created with it were effectively Trojanized, but still managed to pass the App Store’s code review.

Such apps were then able to force users to browse to specific URLs, pop up phishing windows (e.g. for phishing iCloud credentials), read and write data in the user’s clipboard, collect device, app and network information, and more.

Apple has reacted to the threat by removing infected apps from the App Store, and by alerting both developers and users about it. They have helped developers make the switch to the official version of the Xcode framework, and have begun blocking submissions of new apps that contain the malware.

But all that was not enough to stomp out the infection completely, as many users are actively using older, infected versions of various apps, most notably Tencent’s WeChat and the app of popular Chinese Spotify alternative NetEase Cloud Music.

And, according to the researchers, there are still other infected iOS apps that have been repackaged with a newer variant (XcodeGhost S) of the malicious framework.

This change allows the malicious apps to bypass the secure connection (HTTPS instead of HTTP) requirement added to iOS 9, so that they can contact their CnC server. Also, the domain of the CnC is no longer hard coded in the malware, but is assembled by concatenating characters. This allows prevents the app from being spotted as malicious by static detection tools.

The company has been working with Apple at detecting infected apps and removing them from the App Store, including a specific shopping app available both to US and Chinese users.

“Some enterprises have taken steps to block the XcodeGhost DNS query within their network to cut off the communication between employees’ iPhones and the attackers’ CnC servers to protect them from being hijacked. However, until these employees update their devices and apps, they are still vulnerable to potential hijacking of the XcodeGhost CnC traffic – particularly when outside their corporate networks,” the researchers noted.