Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > Apple purging XcodeGhost-afflicted apps, Angry Birds 2 among infected

Apple purging XcodeGhost-afflicted apps, Angry Birds 2 among infected
Thread Tools
NewsPoster
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Sep 21, 2015, 08:38 AM
 
Further research on the XcodeGhost Apple iOS App Store situation has shown that some apps beyond the Chinese market are infected with the limited malware package. According to researchers, 31 apps carrying XcodeGhost have at least some international impact beyond just the Chinese iOS App Store, including popular Rovio title Angry Birds 2. One Chinese research firm believes as many as 344 apps have fallen victim to the package.

Applications identified as including the XcodeGhost package are Angry Birds 2, CamCard, CamScanner, Card Safe, China Unicom Mobile Office, CITIC Bank move card space, Didi Chuxing, Didi Kuaidi, Eyes Wide, Flush, Freedom Battle, High German map, Himalayan, Hot stock market, I called MT, I called MT 2, IFlyTek input, Jane book, Lazy weekend, Lifesmart, Mara Mara, Marital bed, Medicine to force, Micro Channel, Microblogging camera, NetEase, OPlayer, Pocket billing, Poor tour, Quick asked the doctor, Railway 12306, SegmentFault, Stocks open class, Telephone attribution assistant, The driver drops, The Kitchen, Three new board, Watercress reading, and WeChat 6.2.5.

Last week, security researchers from Alibaba found "at least 20" apps afflicted with the XcodeGhost malware package on various repositories. Palo Alto Networks confirmed the finding, noting that the malware is "located in a Mach-O object file that was repackaged into some versions of Xcode installers. These corrupted versions of Xcode were found on Baidu's cloud file sharing service for use by Chinese iOS/OS X developers.

XcodeGhost captures the time, infected app's name, the app's bundle identifier, the executing device's name and type. the user's language and country, the device's UUID, and network type -- little more than Google or Facebook collects now. This data is then sent to a command and control server, which is apparently collating the data. However, the collated data does little to directly facilitate an attack.

Due to some sluggish Internet speeds from international distributors in China, developers often turn to alternate sources or colleagues for large downloads -- Xcode is over 3GB. In this case, the modified version of Xcode acquired by otherwise legitimate developers implanted the code in the app, unbeknownst to the coding team. Baidu has since purged the malicious Xcode packages. Chinese security firm Qihoo360 claims to have found 344 apps infected with XcodeGhost on the app store, but has so far not named them.

"We've removed the apps from the App Store that we know have been created with this counterfeit software," Apple spokeswoman Christine Monaghan said in an statement to Reuters. "We are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps."
( Last edited by NewsPoster; Oct 1, 2015 at 03:09 AM. )
     
lkrupp
Forum Regular
Join Date: May 2001
Location: Collinsville, IL, USA
Status: Offline
Reply With Quote
Sep 21, 2015, 09:12 AM
 
I wish these news reports would trumpet the fact that this lays at the feet of developers who downloaded the infected Xcode installer from a pirate site rather than Apple's official site.
     
Grendelmon
Senior User
Join Date: Dec 2007
Location: Too F'ing Cold, USA
Status: Offline
Reply With Quote
Sep 21, 2015, 09:14 AM
 
And there is apparently now way for any iOS user to identify if they have an infected application on their device. Apple better play its cards right to rectify this situation.

Hopefully iOS 9.0.x is coming out soon with an app purger?
     
Grendelmon
Senior User
Join Date: Dec 2007
Location: Too F'ing Cold, USA
Status: Offline
Reply With Quote
Sep 21, 2015, 09:24 AM
 
Originally Posted by Grendelmon View Post
Hopefully iOS 9.0.x is coming out soon with an app purger?
...as well as iOS 8/7/6.
     
unsean
Fresh-Faced Recruit
Join Date: Nov 2013
Status: Offline
Reply With Quote
Sep 21, 2015, 10:17 AM
 
@Grendelmon

"Apple better play its cards right to rectify this situation?"

What do you expect Apple to do (other than what they seem to be doing right now, that is)? Other than making Xcode somehow easier to download for individuals that have slow internet speeds, and purging the apps made from the tainted Xcode, they seem to be doing all they can.

In fact, I am not entirely sure that they should banish the makers of the apps with the compromised code because it seems that many of them had no idea that there was a problem (Sure, it goes without saying that they should not have downloaded Xcode from any source but Apple, but apparently they have bending this in the past, without an issue).


And as the article says, the data the criminals seem to be collecting is not unlike that which most of us give freely to Google and Facebook.

That's not justification for what's been done, though it also doesn't mean that it's time to throw the baby out with the bathwater, either.
     
Mike Wuerthele
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Sep 21, 2015, 10:24 AM
 
Originally Posted by lkrupp View Post
I wish these news reports would trumpet the fact that this lays at the feet of developers who downloaded the infected Xcode installer from a pirate site rather than Apple's official site.
We did. There's far less FUD in this than in the mainstream media, which is having a field day with it.
     
FrankMtl
Fresh-Faced Recruit
Join Date: May 2002
Location: Canada
Status: Offline
Reply With Quote
Sep 21, 2015, 10:43 AM
 
Rovio has some damn explaining to do; such a huge enterprise too lazy to obtain Xcode form Apple?
     
Makosuke
Dedicated MacNNer
Join Date: Aug 2001
Location: California
Status: Offline
Reply With Quote
Sep 21, 2015, 10:48 AM
 
There are all kinds of issues with this.

One is simply how it got this far without Apple catching it. Unless these apps were *all* submitted before XcodeGhost was even known to exist (were they?) then Apple should have been scanning for its signature in anything submitted to the app store.

Two, has Apple already pushed a blacklist with all these apps on it? iOS is known to have an app blacklist feature, so they should have scanned recent submissions and remotely killed everything found infected immediately.

Third is the disturbing fact that hundreds of developers--including those who work for major companies--are apparently willing to run *development software* downloaded from a random 3rd party source. I don't care how slow your download is, if this is your day job that's just scary. That somebody built Angry Birds 2 with random Baidu downloads is the biggest indictment of Rovio as a company I've seen.

The mainstream press is, I'm sure, full of hyperbole and incorrect info about this whole mess and who to blame for it, but the fact is if you have a walled garden and somebody craps in it, you're the one who's going to take the heat for it. And the fact that this was innocuous doesn't mean anything--if an innocuous bug got through, so can a nasty one.
     
Grendelmon
Senior User
Join Date: Dec 2007
Location: Too F'ing Cold, USA
Status: Offline
Reply With Quote
Sep 21, 2015, 12:01 PM
 
Originally Posted by unsean View Post
@Grendelmon

"Apple better play its cards right to rectify this situation?"

What do you expect Apple to do (other than what they seem to be doing right now, that is)? Other than making Xcode somehow easier to download for individuals that have slow internet speeds, and purging the apps made from the tainted Xcode, they seem to be doing all they can..
I don't write apps for the App Store in Xcode, so I'm not familiar with how those source projects are set up.

But if they are including a counterfeit object library in the Xcode installer, it's Apple's responsibility to tighten the security of the installation. Perhaps Xcode should phone home back to the mother ship in order to get appropriate chksums for object library files, etc. I just don't use Xcode enough to understand how the IDE is set up or managed.
     
DiabloConQueso
Grizzled Veteran
Join Date: Jun 2008
Status: Offline
Reply With Quote
Sep 21, 2015, 12:04 PM
 
Angry Birds 2 is still alive and well on the App Store today -- could it be that it has already been "fixed" and re-submitted, or could it be that only the Angry Birds 2 app specific to the China App Store was pulled?
     
coffeetime
Grizzled Veteran
Join Date: Nov 2006
Status: Offline
Reply With Quote
Sep 21, 2015, 12:48 PM
 
Only the Angry Birds 2 in Chinese App Store are infected. XcodeGhost is the counterfeit version of Apple Xcode. Many Chinese developers use XcodeGhost to develop apps for the Chinese App Store market.

(source: http://9to5mac.com/2015/09/21/xcodeghost-infected-apps/)
     
Mike Wuerthele
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Sep 21, 2015, 01:07 PM
 
Originally Posted by DiabloConQueso View Post
Angry Birds 2 is still alive and well on the App Store today -- could it be that it has already been "fixed" and re-submitted, or could it be that only the Angry Birds 2 app specific to the China App Store was pulled?
It was pulled worldwide for about four hours. It's back on the US store. Whether this means that the US version was always fine or not is unknown.

XcodeGhost refers to both the malware in the iOS code, as well as the infected Xcode. 9to5 does good work, but they're not quite correct in this case.

Source: Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store - Palo Alto Networks BlogPalo Alto Networks Blog (also linked in our story about it).
     
Grendelmon
Senior User
Join Date: Dec 2007
Location: Too F'ing Cold, USA
Status: Offline
Reply With Quote
Sep 21, 2015, 01:38 PM
 
Originally Posted by Grendelmon View Post
And there is apparently now way for any iOS user to identify if they have an infected application on their device.
From an InfoSec blog post: https://isc.sans.edu/forums/diary/De...ctivity/20171/

How to detect infected devices?

If you're an iPhone user:

-Check for HTTP traffic to http://init.icloud-analysis.com in your firewalls or proxies logs.
-Check for traffic to the IP addresses listed above.
-Remove the apps listed as malicious.
-Change passwords on websites used by the malicious applications.

If you're a developer:

-Check if the file Library/Frameworks/CoreServices.framework/CoreService exists in the Xcode SDK/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/.
-Always download resources from official locations and double-check the provided hashes (MD5/SHA1).
( Last edited by Grendelmon; Sep 22, 2015 at 08:19 AM. )
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 01:19 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,