Thousands of iOS Apps under Threat from XcodeGhost

Home / Blog / IT security news / Thousands of iOS Apps under Threat from XcodeGhost
Thousands of iOS Apps under Threat from XcodeGhost

There were reports that iOS app developers had been using a rogue version of the Xcode development tool inadvertently.

According to researchers from FireEye, more than 4,000 apps on App Store carried Trojans. The XcodeGhost spread fast and wide and infected apps such as those used in iTunes.

In the initial reports, a comforting figure of just 39 apps having been trojanized was welcome. However, after looking deeper into the XcodeGhost threat, security researchers found that thousands upon thousands of apps were indeed infected.

Apps are developed and loaded in App Store. Palo Alto, a security research firm discovered that 39 of the App Store apps which were mainly developed in China were compromised. The malware in these apps was a rogue version of Xcode which had been accessed through forums. Apple provides iOS and OS X which are developed using Xcode.

An additional hidden functionality to an app was what this rogue code XcodeGhost did. Security researchers say that these trojanized apps were then uploaded by the unsuspecting developers to App Store. This means that the apps bypassed the key malware defenses for the development of iOS apps and systems.

According to Appthority, a mobile security firm, close to 500 apps which are used by its enterprise customers were infected by XcodeGhost. The company traced the start of the infection to April 2015. According to the Company’s research report released on Tuesday, over the months following April, there was an increase in the number of infections.

Security researchers XcodeGhost does a variety of frightening things such as collecting identifying information of the device they are installed in, as well as opening URLs. Security experts appreciate the fact that the creators of this malware could have added more damaging capacity to it but they didn’t.

Appthority researchers suggested that rather than classifying XcodeGhost as a malware, it would be good and appropriate if it was classified as an ‘Adware’. This is considering the risks involved and the specific way it behaved.

On the same day Appthority made their announcement, FireEye announced that far from what was previously thought XcodeGhost had not infected hundreds of apps but thousands. The company had already identified over 4,000 infected apps.

The XcodeGhost command as well as control servers have since been brought down. However, the infected apps are still seen trying to connect with the servers while using unencrypted HTTP connections. FireEye researchers added that such HTTP sessions are prone to being taken over by other cyber attackers.