Thousands of iOS apps infected by XcodeGhost

23.09.2015
The impact of iOS app developers unknowingly using a rogue version of the Xcode development tool is turning out to be greater than initially thought: early reports listed just 39 apps that had been trojanized with the tool, but security researchers have since identified thousands more.

On Friday, security research firm Palo Alto Networks reported that 39 apps found in the App Store had been compromised after their developers -- most of them located in China -- used a rogue version of Xcode that had been distributed on forums. Xcode is a development tool for iOS and OS X apps provided by Apple.

The malicious Xcode version, which has been dubbed XcodeGhost by security researchers, added hidden functionality to any application compiled with it. Those apps were then uploaded by unknowing developers to the official App Store, bypassing one of the main malware defenses of the iOS ecosystem.

On Tuesday, mobile security firm Appthority reported that it had found 476 apps infected by XcodeGhost among those used by its enterprise customers.

"We had a closer look at the data and were able to track the start of the infection to April 2015 with a significant uptick in infections over this last month of September," the company's research team said in a blog post.

The hidden code added by XcodeGhost to applications collects identifying information about devices they're installed on and can open URLs. The rogue tool's creators could have added more harmful functionality, but they apparently chose not to, at least for now.

"Given our risk analysis results of infected apps regarding their actual behavior, we feel that 'AdWare' might be a more appropriate classification rather than malicious 'malware'," the Appthority researchers said,

Also Tuesday, researchers from security firm FireEye revealed that the real number of iOS apps trojanized by XcodeGhost is not in the tens or hundreds, but in the thousands. The company has identified over 4,000 infected apps so far on the App Store.

While the command-and-control servers used by XcodeGhost have been taken down, the malicious apps still try to connect to them using unencrypted HTTP connections, the FireEye researchers said in a blog post. Such HTTP sessions are vulnerable to hijacking by other attackers, it said.

Since security companies keep identifying more infected apps, it's hard for users to keep track of them manually or even to rely on a single product to detect them. All they can do is hope that Apple is working to remove the apps from the App Store and notify users.

Lucian Constantin