Security vendor FireEye has found “210 enterprises with XcodeGhost-infected applications running inside their networks, generating more than 28,000 attempts to connect to the XcodeGhost Command and Control (CnC) servers”.
XcodeGhost was first seen when app developers in China used compromised versions of Xcode to create apps. They did this as access to the official versions published by Apple was difficult given China’s tight restrictions on internet use. Consequently, Chinese developers used pirated versions of the free developer tools that were distributed within China. Unfortunately, malware was injected into the pirated versions of Xcode.
When XcodeGhost first appeared, Apple was quick to remove infected apps from the App Store.
FireEye’s analysis reveals some interesting insights:
- There’s no single specific target industry as many different industries are represented in the 201 companies they found had infected apps.
- There are still some folks out there running iOS 6 with 70 percent of infected devices running iOS 8 or older.
- Older, infected versions of WeChat and Music 163 are the main source of infection as users have not updated the apps to the most recent ‘clean’ versions that are available in the App Store.
The research also found a new variant of XcodeGhost, which FireEye has dubbed XCodeGhost S, has been created to specifically target iOS 9 devices. This is because iOS 9 uses a new security measure that blocked the ability for infected apps to access their CnC servers. The updated malware uses a workaround for this.
What can you do?
For the majority of iOS users, XcodeGhost and XcodeGhost S should not be a significant issue. But with infected versions of Xcode in the wild, it may be possible for more infected apps to sneak under Apple’s guard and make it into the App Store.
Keeping your iOS devices up-to-date with the latest software updates from Apple and the App Store is a strong first step and avoid side-loading apps (tricky unless you’ve jail-broken your device).