Developers who unknowingly used a malicious tool to code their programs uploaded hundreds of malware-infected apps to the iTunes App Store, according to multiple reports.
“Instead of trying to create a malicious app and get it approved in the App Store, XcodeGhost’s creator targeted Apple‘s legitimate iOS-OS X app development tool, called ‘Xcode,’ to distribute the malicious code in legitimate apps,” he explained.
“These developers, unaware that their apps had been tampered with, then submitted those apps to the App Store for distribution to iOS devices,” Richardson told TechNewsWorld.
Since the discovery of XcodeGhost, Apple has been weeding its walled garden.
It has cleaned out all the known apps created with the counterfeit version of Xcode and is working with developers to make sure they use the right version of the software to rebuild their apps, according to multiple press reports.
Users are bombarded with warnings against downloading apps from questionable sources, so why did the developers choose to download Xcode from a place other than Apple? The answer to that question is convenience.
“The infected files could be downloaded in an hour,” he told TechNewsWorld.
Ease of access typically isn’t thought of as a security issue, but it may be time to start.
“Everyone needs to seriously think about developer convenience as a security issue,” Richardson said.
“When there’s a hard and an easy way to get something, you need to assume that a large percentage of developers will take the easy option,” he noted. “Apple should consider providing easy access to all tools behind speedy connections globally to help prevent future issues like this.”
The malware XcodeGhost can do several things. It sends information about the app it has infected and the machine it’s running on to a server operated by its creators.
“They can be used to trick a user into giving up their credentials or cause some other harm,” Palo Alto’s Olson said.
Apple is known for keeping a tight ship when it comes to vetting apps for its ecosystem, so how did it miss these apps?
“That is likely to be an unpopular decision with the developer community, which wants to write open source tools to develop iOS apps and write Xcode plugins to speed up development,” Lookout’s Richardson said.
The research community has tagged as many as 800 XcodeGhost-infected apps, including WeChat, which has more than 400 million monthly users, Olson said.
WeChat has fixed the XcodeGhost flaw in the latest version of its app, 6.2.6, according to a Saturday blog post, and the WeChat Team urged users to upgrade.
There has been no theft of users’ information or money based on its preliminary investigation, the company said, but it will continue to monitor the situation closely.
Given the success of XcodeGhost as an attack approach, could it attract a wave of copycats in the future?
“I doubt that we’ll see an attack quite like this,” said Thomas Reed, director of Mac Offerings at Malwarebytes.
“This will teach developers not to rely on any version of Xcode other than the one that comes from Apple,” he told TechNewsWorld. “However, I can see malware getting on a developer’s system and infecting Xcode or some other tool in the same way.”