Hackers embed malicious code in Apple apps from China

XcodeGhost, a counterfeit version of the popular developer tool Xcode, can be used to steal passwords and other sensitive information.

Chinatopix/AP
A man uses his iPhone to take a picture on September 19, as people crowd at a newly-opened Apple Store in Nanjing in east China's Jiangsu province. Apple has removed some applications from its App Store after developers in China were tricked into using software tools that added malicious code in an unusual security breach.

Using Chinese app developers, hackers have managed to skirt Apple's strict app-review process and spread malicious code to millions of iOS devices. 

The hackers used a novel approach to embed their malicious code, distributing a compromised, counterfeit version of Apple's Xcode tool, the software used by developers to make popular applications for Apple's mobile devices. WeChat, a messaging app popular in China and the Asia-Pacific region; Angry Birds 2, a wildly popular video game; and CamCard, a widely used business card scanner and manager available in China, the United States and other countries, are among the dozens of apps affected.

“. . . We believe XcodeGhost is a very harmful and dangerous malware that has bypassed Apple’s code review and made unprecedented attacks on the iOS ecosystem,” wrote cybersecurity company Palo Alto Networks on its blog.

Though it’s unclear whether the hackers have stolen any data, “The techniques used in this attack could be adopted by criminal and espionage-focused groups to gain access to iOS devices,” the firm wrote.

Apple says it has removed the infected apps from the App Store:

“To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software and we are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps,” the company said in a statement, according to the Wall Street Journal.

XcodeGhost is a counterfeit version of Apple’s Xcode, a package of software development tools used to create apps for devices like the iPhone, iPad and iPod touch. The counterfeit version has embedded malicious code in popular apps. It can prompt Apple device users to divulge their personal information to the hackers. It also is able to see people’s passwords if they’re stored in the clipboard, a tool used for copying and pasting.

Experts recommend that those who already have the apps on their devices should uninstall them, or update to a version that has removed the malware. They also recommend that those people change their iCould passwords, as the malicious code can display an iCloud password prompt on devices, tricking people to divulge their passwords to the hackers.

Chinese app developers unwittingly included the counterfeit code by downloading what they thought was Apple’s Xcode package from non-Apple sites, according to Palo Alto Networks, to avoid downloading the large files from Apple’s servers, which can take a long time in China.

“At present, we haven’t discovered any loss of user information or assets as a result of this [breach], though the WeChat team will continue to monitor and do tests,” wrote a representative of app developer Tencent in a note posted to the Chinese microblogging site Sina Weibo late Friday, reported the Journal.

Palo Alto Networks wrote on its blog that this is the sixth instance of malware making it through Apple screening, which is typically very strict.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.