Hackers embed malicious code in Apple apps from China

XcodeGhost, a counterfeit version of the popular developer tool Xcode, can be used to steal passwords and other sensitive information.

A man uses his iPhone to take a picture on September 19, as people crowd at a newly-opened Apple Store in Nanjing in east China's Jiangsu province. Apple has removed some applications from its App Store after developers in China were tricked into using software tools that added malicious code in an unusual security breach.

Using Chinese app developers, hackers have managed to skirt Apple's strict app-review process and spread malicious code to millions of iOS devices. 

The hackers used a novel approach to embed their malicious code, distributing a compromised, counterfeit version of Apple's Xcode tool, the software used by developers to make popular applications for Apple's mobile devices. WeChat, a messaging app popular in China and the Asia-Pacific region; Angry Birds 2, a wildly popular video game; and CamCard, a widely used business card scanner and manager available in China, the United States and other countries, are among the dozens of apps affected.

“. . . We believe XcodeGhost is a very harmful and dangerous malware that has bypassed Apple’s code review and made unprecedented attacks on the iOS ecosystem,” wrote cybersecurity company Palo Alto Networks on its blog.

Though it’s unclear whether the hackers have stolen any data, “The techniques used in this attack could be adopted by criminal and espionage-focused groups to gain access to iOS devices,” the firm wrote.

Apple says it has removed the infected apps from the App Store:

“To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software and we are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps,” the company said in a statement, according to the Wall Street Journal.

XcodeGhost is a counterfeit version of Apple’s Xcode, a package of software development tools used to create apps for devices like the iPhone, iPad and iPod touch. The counterfeit version has embedded malicious code in popular apps. It can prompt Apple device users to divulge their personal information to the hackers. It also is able to see people’s passwords if they’re stored in the clipboard, a tool used for copying and pasting.

Experts recommend that those who already have the apps on their devices should uninstall them, or update to a version that has removed the malware. They also recommend that those people change their iCould passwords, as the malicious code can display an iCloud password prompt on devices, tricking people to divulge their passwords to the hackers.

Chinese app developers unwittingly included the counterfeit code by downloading what they thought was Apple’s Xcode package from non-Apple sites, according to Palo Alto Networks, to avoid downloading the large files from Apple’s servers, which can take a long time in China.

“At present, we haven’t discovered any loss of user information or assets as a result of this [breach], though the WeChat team will continue to monitor and do tests,” wrote a representative of app developer Tencent in a note posted to the Chinese microblogging site Sina Weibo late Friday, reported the Journal.

Palo Alto Networks wrote on its blog that this is the sixth instance of malware making it through Apple screening, which is typically very strict.

of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.