In September 2015, the iOS malware XcodeGhost was discovered to have infiltrated Apple's tightly guarded iTunes Appstore. Although Chinese researchers report that over 300 applications could be affected, Apple recently published its list of the top 25 applications that were shown to be developed with the malicious code. Included in the top 25 list is the popular messaging application WeChat.¹

The malware was injected into hijacked versions of Xcode, Apple's coding framework, which runs on Mac OS and is used for developing software for iOS and OS X. These tampered versions of Xcode were distributed via third-party sites for download. The malware has hit China the hardest because developers there often experience exorbitantly longer download times when trying to access Apple's legitimate Xcode software from its U.S.-based servers.² Those who developed code with the hacked versions of Xcode unknowingly submitted malicious software versions to Apple, where it was published in the iTunes Store before the exploit was caught.

What Can It Do?

In the hijacked versions of Xcode, the CoreService development framework was replaced, and it then garnered elevated permissions for applications created with the software. The infected applications mined basic information, such as application name, version number, system version, language, country name, developer, app installation time, device name, and device type.

This collected data is then transmitted to a command and control (C2) server where it can be used for any number of purposes. Initial reporting suggested that this C2 could also issue commands to the infected device, which would be capable of opening a web browser or mimicking a login screen of a previously installed application to invoke users to enter usernames and passwords to be harvested and sent to the C2 for nefarious purposes. Apple has reported that there have been no examples of this scenario to date.²

References:

[1] https://for585.com/6v-qg (MacRumors.com list of XcodeGhost compromised apps)

[2] https://for585.com/c2ytd (Trend Micro article on XcodeGhost)