Inside XCodeGhost iOS threat: weaponising Apple’s application development software


The XCodeGhost iOS threat is back, and this time it’s serious; seriously stealthy. Oh, and it’s also no longer largely a Chinese problem. IT Security Thing investigates.

Earlier this year, XCodeGhost was behind the infiltration of the official Apple App Store by malware infected iOS apps. At the time it was pretty much exclusively a problem for users in China; that has changed with XCodeGhost now also hitting Western targets including the US. If that wasn’t bad enough news, the same researchers also reckon that a worrying variant called XCodeGhost S (the s standing for stealth) has managed to infect iOS 9 apps. So what is XCodeGhost/XCodeGhost S, how does it work and what should you do to avoid becoming a victim? IT Security Thing has been digging through the data to find out.

Before we deal with the ‘what is XCodeGhost’ question, we need to establish what XCode is. The answer is pretty straightforward, XCode is a free integrated development environment (IDE) that comes with a host of development tools that make developing apps for iOS (and OS X for that matter) as easy as possible. If you want to know precisely what is included, then pop over to the Apple developer site for the full skinny on the latest version. What we are interested in, however, is a Trojanised version of the XCode IDE, which was made available for download through a popular Chinese cloud-based system.

It is the first time that Apple has fallen victim to such a threat process.

Now you might be asking yourself why any developer in their right mind would be thinking about downloading the IDE they are going to use to create apps for the iPhone from anywhere other than the official Apple store? It’s a pretty good question, and the answer highlights just how a lack of strategic security thinking can impact upon software from the earliest of stages in the development process.

The answer is that the Baidu Yunpan service managed to make download speeds a lot quicker than the official Apple download site, and developers were drawn to it for this reason. Unfortunately the Trojanised version of XCode, which has become known as XCodeGhost, was created specifically to in turn create malicious apps without the developers concerned having a clue. It is thought that as many as 4,000 such apps were developed and made available in the official App Store.

This isn’t the first time that the bad guys have thought to infect the compiler in order to deliver malware into unwitting software at the development stage, far from it, but it is the first time that Apple has fallen victim to such a threat process.

As the compiler is a trusted piece of the development picture, the malware was able to pass through undetected by the publisher. Because the publisher is a trusted source of safe software, the malware was able to infect non-jailbroken iPhones. It only takes one weak link to break this chain of trust, and in this case it was those impatient developers who took a shortcut to downloading the XCode IDE.

What XCodeGhost did was to scrape the system clipboard (so grabbing any passwords you may have been cut and pasting from a password vault), phish for user credentials using established social engineering methodologies such as fake login box pop-ups, and open URLs at will within the iPhone web browser client.

The latter, of course, being just as dangerous as the former payloads as this could be used to serve up more malware as well as just the less harmful unwanted advertising. Even so, XCodeGhost was a fairly simple beast in the way that it went about exploiting the position of the apps it had got installed, and we should be grateful for that. Things could have been a lot worse if the threat actors had been more adventurous in their goals, targeting banking applications specifically for example.

This doesn’t mean to say that XCodeGhost could not evolve into something more serious given time, nor that the method of distributing the malware wasn’t clever as. Here at IT Security Thing we are not totally convinced by the apparent apology claiming to come from the authors of XCodeGhost that was published on Twitter and which said it was an advertisement delivery mechanism experiment. Even if the tweet was genuine, an ad-server code test wouldn’t explain the stealthy nature of the thing and the potential for far more malicious deliveries.

As far as evolving, that’s pretty much what has happened despite the infected apps all being removed from the App Store (which was re-scanned by Apple for any further apps showing signs of infection) and the command-and-control servers apparently being taken offline by the XCodeGhost authors.

One assumes the latter might have been in response to the undoubted heat heading their way once the story broke. Whatever the reason for the control servers going down, and whoever was behind the original Trojanised IDE, it’s somewhat moot now anyway. XCodeGhost is back in action, with more than 200 enterprise level users in the United States known to have been infected. FireEye researchers have tracked close on 30,000 connection attempts to new command and control servers, which are located mainly in Germany, with the remainder in the US itself.

XCodeGhost S is particularly of concern as it has a number of stealth features

If that wasn’t problematical enough, FireEye has also discovered an XCodeGhost variant that it has called XCodeGhost S and which carries a double whammy of being both stealthier than the original and able to Trojanise iOS 9 apps. FireEye thinks that, as this variant was actually being used at the same time as the original it turns out, that it was almost certainly created by the authors of the original package. It may also be the case, although less likely we would imagine, that the original authors are responsible for the recent outbreak of US activity. Given that the control servers are located in Europe and the US, it’s more likely that another actor has grabbed the reins to chance their arm this time around.

XCodeGhost S is particularly of concern as it has a number of stealth features such as character concatenation built in which enable it to get around the kind of static detection tools used by security researchers. Character concatenation, in case you were wondering, allows for the construction of the command and control domains using character by character linking within the final string. FireEye has located two apps infected using XCodeGhost S, although it remains convinced there are more to be discovered out there; the process of finding them is just more difficult and time consuming than those apps compiled with the original XCodeGhost.

When it comes to mitigation, and although it seems a little lame to be saying so given the distribution methodology in this case, only apps from the official App Store should be used. Third party apps stores may not have replaced infected apps, nor done the relevant checks on any updated apps. At least now that Apple is aware of the problem, and given the damning publicity it has generated, you can be sure it will be doing everything possible to prevent any reoccurrence.

Not that it has managed that as we have seen with the ability of XCodeGhost S compiled apps to bypass the “NSAppTransportSecurity” blocks in iOS 9 that only allow secure connections with specific ciphers to connect. As previous versions of XCodeGhost used http connections they fell over and couldn’t phone home. Unfortunately, by allowing developers to make exceptions to the rule by way of “NSAllowsArbitraryLoads” within the Info.plist of the app, http connections can still be made.

According to FireEye, XCodeGhost S simply reads the setting of “NSAllowsArbitraryLoads” under the “NSAppTransportSecurity” entry in the app’s Info.plist and picks different CnC servers (http/https) based on this setting.

FireEye recommends upgrading devices to the latest version of iOS 9 as soon as possible and it also notes that 70 per cent of the victims it found within the customer base investigated were running older iOS versions from 6.x.x up.

Enterprises could also block the XCodeGhost DNS query in their networks, although this is really only a sticking plaster fix and the real surgery needs to be done device by device, and app by app. Even then, we are not convinced this is enough, and IT Security Thing in this case actually recommends a factory reset to be sure of a clean device and then starting from scratch with your app installs if you have any reason to suspect you may have downloaded a dodgy app. There’s a list of the most popular/common infected apps here, which might help, although the vast majority are of Chinese interest only.