For the first time, hundreds of legitimate apps sold in Apple’s App Store were infected with a malware that when installed and used, can compromise users’ credentials, among other nefarious activities. However, while the media continues to focus on this current malware bout, it’s what will follow that’s more concerning, experts warned.
In this case, the unknown attacker duped developers by inserting malicious code into Apple’s real Xcode or its free package of software tools for app creation. This attacker then posted the XcodeGhost-laced version on a Chinese cloud service, the link to which was purposely shared on various Chinese developer forums.
From there, the malware and Xcode spread. Developers, primarily in China, downloaded the counterfeit Xcode, not realizing it came packed with the attacker’s malicious code.
Notably, if the developers had gone directly through Apple, this malware wouldn’t have passed into the App Store. Why these developers used the unverified code when Apple’s toolkit is free could have to do with slow download times in China, said Ryan Olson, intelligence director at Palo Alto Networks in an interview with SCMagazine.com. People downloading from a U.S. server while in China, for example, could spend hours waiting for the download to complete, and they might be in a hurry.
“[The attacker] was smart about posting links to his versions on Chinese programming blogs,” Olson said. “It raised it pretty high in the search results.”
Among the impacted apps is WeChat, which has 100 million users outside China. This fact alone makes the malware and its infected apps a “serious issue,” said David Richardson, iOS security expert at Lookout, in emailed comments to SCMagazine.com.
“We actually believe the current reports are under playing this threat,” he wrote. “In almost all cases, these apps are in all App Stores, not just the Chinese one.”
But Thomas Reed, director of Mac offerings at Malwarebytes, countered in an interview with SCMagazine.com that except for WeChat, most impacted apps don’t affect Western users.
That said, it still is “by far, the largest compromise of the App Store ever,” he said.
And while XcodeGhost warrants discussion, current media might be overblowing the severity of this attack, he and others said. For the most part, all offending apps have been removed from the App Store and patched.
More worrisome are future attacks styled after this malware’s infection techniques. Going for an app developer might prove to be a lucrative and successful route to millions of iPhones and other Apple devices.
“This was a wakeup call for developers,” Olson said. “I hope that developers look at this and say that they’ll make sure [the devices they] develop on are more secure. I certainly expect there to be other attacks to get more apps in the App Store.”
As of right now, developers might be security conscious, Reed said, but he doubts anyone foresaw, in more than a theoretical sense, someone hacking Xcode to infect any app created.
It’s not just a problem for China; if developers’ devices or toolsets are purposely targeted, for example, all apps could be vulnerable. Malware could also specifically seek out Xcode on devices and infect it.
Apple has not yet responded to a request for comment but did tell Reuters all impacted apps were removed from the App Store, and it is working with developers to “make sure they’re using the proper version of Xcode to rebuild their apps.”
WeChat wrote in a blog post that it remediated its impacted app version.