Developers using counterfeited versions of Xcode have been used as mules to ship malware into apps being submitted into the App Store during the submission process. Although their apps aren’t developed as malware, XcodeGhost injects code into the otherwise legitimate apps.
The malicious version of Xcode was uploaded to Chinese cloud file sharing service Baidu and downloaded by some iOS developers in China. Apparently, this was done as some developers find accessing Apple’s official servers too slow from within China. The developers, mainly operating from China and distributing apps for the Chinese market, compiled iOS apps using the modified Xcode IDE and distributed those infected apps through the App Store.
The apps passed through Apple’s code review process.
One high profile app, WeChat, was infected with some reports suggested over 200 apps were affected although Apple has declined to disclose how many apps were infected although they say the infected apps have now been removed.
Palo Alto Networks has published what it says is a full list of the infected apps. They have also detailed what data the infected apps collects and that the apps can do.
• Prompt a fake alert dialog to phish user credentials;
• Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps;
• Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.
WeChat’s developers have published a blog post explaining only WeChat v6.2.5 for iOS is affected.