XcodeGhost
{{Short description|Malware version of Apple's Xcode IDE}}
XcodeGhost (and variant XcodeGhost S) are modified versions of Apple's Xcode development environment that are considered malware.{{Cite news | title = Apple scrambles after 40 malicious "XcodeGhost" apps haunt App Store | author = Dan Goodin | work = Ars Technica | date = September 21, 2015 | access-date = 2015-11-05 | url = https://arstechnica.com/security/2015/09/apple-scrambles-after-40-malicious-xcodeghost-apps-haunt-app-store/ }} The software first gained widespread attention in September 2015, when a number of apps originating from China harbored the malicious code.{{Cite news | title = What You Need to Know About iOS Malware XcodeGhost | author = Joe Rossignol | work = macrumors.com | date = September 20, 2015 | access-date = 2015-11-05 | url = http://www.macrumors.com/2015/09/20/xcodeghost-chinese-malware-faq/ }} It was thought to be the "first large-scale attack on Apple's App Store", according to the BBC. The problems were first identified by researchers at Alibaba, a leading e-commerce firm in China.{{Cite news|url=https://www.bbc.co.uk/news/technology-34311203|title=Apple's App Store infected with XcodeGhost malware in China|date=2015-09-21|newspaper=BBC News|language=en-GB|access-date=2016-09-22}} Over 4000 apps are infected, according to FireEye, far more than the 25 initially acknowledged by Apple,{{cite web |title=Protecting Our Customers from XcodeGhost |url=https://www.fireeye.com/blog/executive-perspective/2015/09/protecting_our_custo.html |website=FireEye |access-date=9 November 2021 |language=en}} including apps from authors outside China.
Security firm Palo Alto Networks surmised that because network speeds were slower in China, developers in the country looked for local copies of the Apple Xcode development environment, and encountered altered versions that had been posted on domestic web sites. This opened the door for the malware to be inserted into high profile apps used on iOS devices.{{Cite web | title = Apple removes malware-infected App Store apps after major security breach | last = Byford | first = Sam | work = The Verge | date = September 20, 2015| access-date = 2015-11-05 | url = https://www.theverge.com/2015/9/20/9362585/xcodeghost-malware-app-store-security }}{{Cite magazine | title = Apple App Store hack: XcodeGhost attack strikes China (Wired UK) | author = James Temperton | magazine = Wired UK | date = September 21, 2015 | access-date = 2015-11-05 | url = https://www.wired.co.uk/news/archive/2015-09/21/xcode-apple-app-store-hack }}
Even two months after the initial reports, security firm FireEye reported that hundreds of enterprises were still using infected apps and that XcodeGhost remained "a persistent security risk".{{Cite web | title = Many US enterprises still running XcodeGhost-infected Apple apps, FireEye says | last = Kirk | first = Jeremy | work = InfoWorld | date = November 4, 2015 | access-date = 2015-11-05 | url = http://www.infoworld.com/article/3000921/malware/many-us-enterprises-still-running-xcodeghost-infected-apple-apps-fireeye-says.html }}{{Cite web | title = A modified version of XcodeGhost remains a threat as compromised apps found in 210 enterprises | author = Ben Lovejoy | work = 9to5Mac | date = November 4, 2015 | access-date = 2015-11-05 | url = http://9to5mac.com/2015/11/04/xcodeghost-s-ios-malware/ }} The firm also identified a new variant of the malware and dubbed it XcodeGhost S; among the apps that were infected were the popular messaging app WeChat and a Netease app Music 163.{{Cite web |title = XcodeGhost S: A New Breed Hits the US|author1=Yong Kang |author2=Zhaofeng Chen |author3=Raymond Wei |work = FireEye|date = 3 November 2015|access-date = 2015-11-05|url = https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html|quote = XcodeGhost S: A New Breed Hits the US}}
Discovery
On September 16, 2015, a Chinese iOS developer mentioned{{Cite web|url = http://weibo.com/1650375593/CAV5fqdo3|title = First mention of XcodeGhost on SinaWeibo|date = September 17, 2015|access-date = 2015-11-11|website = Sina Weibo}} on the social network Sina Weibo that a malware in Xcode injects third party code into apps compiled with it.
Alibaba researchers then published{{Cite web|title = Xcode编译器里有鬼 – XcodeGhost样本分析-安全漏洞-安全研究-阿里聚安全|url = http://jaq.alibaba.com/blog.htm?id=82|website = jaq.alibaba.com|access-date = 2015-11-11|archive-date = 2016-04-19|archive-url = https://web.archive.org/web/20160419061147/http://jaq.alibaba.com/blog.htm?id=82|url-status = dead}} detailed information on the malware and called it XcodeGhost.
On September 17, 2015, Palo Alto Networks published several reports on the malware.{{Cite web|title = Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store - Palo Alto Networks Blog|url = http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/|website = Palo Alto Networks Blog|access-date = 2015-11-11|last = Claud Xiao|date = September 17, 2015}}{{Cite web|title = Malware XcodeGhost Infects 39 iOS Apps, Including WeChat, Affecting Hundreds of Millions of Users - Palo Alto Networks Blog|url = http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/|website = Palo Alto Networks Blog|access-date = 2015-11-11|date = September 18, 2015|last = Claud Xiao}}{{Cite web|title = Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps - Palo Alto Networks Blog|url = http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/|website = Palo Alto Networks Blog|access-date = 2015-11-11|date = September 18, 2015|last = Claud Xiao}}{{Cite web|title = More Details on the XcodeGhost Malware and Affected iOS Apps - Palo Alto Networks Blog|url = http://researchcenter.paloaltonetworks.com/2015/09/more-details-on-the-xcodeghost-malware-and-affected-ios-apps/|website = Palo Alto Networks Blog|access-date = 2015-11-11|date = September 21, 2015|last = Claud Xiao}}
Operation
= Propagation =
Because of the slow download speed from Apple servers, Chinese iOS developers would download Xcode from third party websites, such as Baidu Yun (now called Baidu WangPan), a cloud storage service hosted by Baidu, or get copies from co-workers. Attackers took advantage of this situation by distributing compromised versions on such file hosting websites.{{Cite web|title = Hackers Sneak Malware Into Apple App Store 'To Steal iCloud Passwords'|url = https://www.forbes.com/sites/thomasbrewster/2015/09/18/xcodeghost-malware-wants-your-icloud/|website = Forbes|access-date = 2015-11-11|date = September 18, 2015|last = Thomas Fox-Brewster}}
Palo Alto Networks suspects that the malware was available in March 2015.
= Attack vector =
== Origins ==
File:Strawhorse.png. "Strawhorse: Attacking the MacOS and iOS Software Development Kit".]]
The attacker used a compiler backdoor attack. The novelty of this attack is the modification of the Xcode compiler. According to documents leaked by Edward Snowden, CIA security researchers from Sandia National Laboratories claimed that they "had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool."{{Cite web|title = The CIA Campaign to Steal Apple's Secrets|url = https://theintercept.com/2015/03/10/ispy-cia-campaign-steal-apples-secrets/|website = The Intercept|access-date = 2015-11-11|author1=Jeremy Scahill |author2=Josh Begley |date = March 10, 2015}}
== Modified files ==
Known versions of XcodeGhost add extra files to the original Xcode application:
- Core service framework on iOS, iOS simulator and macOS platforms
- IDEBundleInjection framework added on iOS, iOS simulator and macOS platforms
XcodeGhost also modified the linker to link the malicious files into the compiled app. This step is reported on the compiling log but not on the Xcode IDE.
== Deployment ==
XcodeGhost compromised the CoreServices layer, which contains highly used features and frameworks used by the app.{{Cite web|title = Core Services Layer|url = https://developer.apple.com/library/ios/documentation/Miscellaneous/Conceptual/iPhoneOSTechOverview/CoreServicesLayer/CoreServicesLayer.html|website = developer.apple.com|access-date = 2015-11-11}} When a developer compiles their application with a compromised version of Xcode, the malicious CoreServices are automatically integrated into the app without the developer's knowledge.
Then the malicious files will add extra code in UIWindow class and UIDevice class. The UIWindow class is "an object that manages and coordinates the views an app displays on a device screen".{{Cite web|title = UIWindow Class Reference|url = https://developer.apple.com/library/ios/documentation/UIKit/Reference/UIWindow_Class/|website = developer.apple.com|access-date = 2015-11-11}}
The UIDevice class provides a singleton instance representing the current device. From this instance the attacker can obtain information about the device such as assigned name, device model, and operating-system name and version.{{Cite web|title = UIDevice Class Reference|url = https://developer.apple.com/library/prerelease/ios/documentation/UIKit/Reference/UIDevice_Class/|website = developer.apple.com|access-date = 2015-11-11}}
= Behavior on infected devices =
== Remote control security risks ==
XcodeGhost can be remotely controlled via commands sent by an attacker from a Command and control server through HTTP. This data is encrypted using the DES algorithm in ECB mode. Not only is this encryption mode known to be weak, the encryption keys can also be found using reverse engineering. An attacker could perform a man in the middle attack and transmit fake HTTP traffic to the device (to open a dialog box or open specific app for example).
== Stealing user device information ==
When the infected app is launched, either by using an iPhone or the simulator inside Xcode, XcodeGhost will automatically collect device information such as:
- Current time
- Current infected app's name
- The app's bundle identifier
- Current device's name and type
- Current system's language and country
- Current device's UUID
- Network type
Then the malware will encrypt those data and send it to a command and control server. The server differs from version to version of XcodeGhost; Palo Alto Networks was able to find three server URLs:
http://init.crash-analytics.com http://init.icloud-diagnostics.com http://init.icloud-analysis.com
The last domain was also used in the iOS malware KeyRaider.
== Read and write from clipboard ==
XcodeGhost is also able, each time an infected app is launched, to store the data written in the iOS clipboard. The malware is also able to modify this data. This can be particularly dangerous if the user uses a password management app.
== Hijack opening specific URLs ==
XcodeGhost is also able to open specific URLs when the infected app is launched. Since Apple iOS and macOS work with Inter-App Communication URL mechanism{{Cite web|title = Inter-App Communication|url = https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html|website = developer.apple.com|access-date = 2015-11-11}} (e.g. 'whatsapp://', 'Facebook://', 'iTunes://'), the attacker can open any apps installed on the compromised phone or computer, in the case of an infected macOS application. Such mechanism could be harmful with password management apps or even on phishing websites.
= Infected apps =
Among all the Chinese apps, IMs app, banking apps, mobile carrier's app, maps, stock trading apps, SNS apps and games were infected. Popular apps used all over the world were also infected such as WeChat, a popular instant messaging app, CamScanner, an app to scan document using the smartphone camera or WinZip.
Pangu Team claimed that they counted 3,418 infected apps.{{Cite web|url = http://weibo.com/5180829008/CBzXU2nxQ?from=page_1005055180829008_profile&wvr=6&mod=weibotime&type=comment|title = Pangu Team on Weibo|date = September 21, 2015|access-date = 2015-11-11}}
Fox-it, a Netherland-based security company reports that they found thousand of malicious traffic outside China.{{Cite web|url = https://www.fox-it.com/en/in-the-media/combined-research-fox-palo-alto-networks-revealed-popular-apps-infected-malware/|title = Combined research Fox-IT and Palo Alto Networks revealed popular apps infected with malware|date = September 18, 2015|access-date = 2015-11-11|website = Fox-it|url-status=dead|archive-url=https://web.archive.org/web/20160812123131/https://www.fox-it.com/en/in-the-media/combined-research-fox-palo-alto-networks-revealed-popular-apps-infected-malware/|archive-date=2016-08-12}}{{cite web |last1=Thomas |first1=Brewster |title=Hackers Sneak Malware Into Apple App Store 'To Steal iCloud Passwords' |website=Forbes |url=https://www.forbes.com/sites/thomasbrewster/2015/09/18/xcodeghost-malware-wants-your-icloud/ |archive-url=https://web.archive.org/web/20161125150627/https://www.forbes.com/sites/thomasbrewster/2015/09/18/xcodeghost-malware-wants-your-icloud/ |archive-date=Nov 25, 2016 |date=Sep 18, 2015 |url-status=live}}
Removal
= Neutralizing command and control servers and compromised versions of Xcode =
Since the article of Alibaba and Palo Alto Networks, Amazon took down all the servers that were used by XcodeGhost. Baidu also removed all malicious Xcode installers from its cloud storage service.
= Removing malicious apps from the App Store =
On September 18, 2015 Apple admitted the existence of the malware and began asking all developers with compromised apps to compile their apps with a clean version of Xcode before submitting them for review again.
Pangu Team released a tool{{Cite web|title = Xcode病毒检测, XcodeGhost病毒检测 - 盘古越狱|url = http://x.pangu.io/?url_type=39&object_type=webpage&pos=1|website = x.pangu.io|access-date = 2015-11-11}} to detect infected apps on a device, but like other antivirus apps, it will not run on a device that has not been jailbroken. Apple does not allow antivirus apps into the iOS App Store.{{Cite news|url=http://www.macworld.co.uk/feature/iosapps/is-ipad-iphone-ios-safe-xcodeghost-what-security-software-need-3453938/#antivirus|title=Why the iOS app XcodeGhost exploit shouldn't concern you|last=Haslam|first=Karen|work=Macworld UK|access-date=2017-09-24|language=en-GB}}
= Checking Xcode version =
Apple advises Xcode developers to verify{{Cite web|url=https://www.apple.com/cn/xcodeghost/|title=有关 XcodeGhost 的问题和解答|website=Apple|archive-url=https://web.archive.org/web/20151114093732/https://www.apple.com/cn/xcodeghost#english|archive-date=November 14, 2015|access-date=June 17, 2016}}{{Cite web|title = Validating Your Version of Xcode - News and Updates - Apple Developer|url = https://developer.apple.com/news/?id=09222015a|website = developer.apple.com|access-date = 2015-11-11}} their version of Xcode and to always have Gatekeeper activated on their machine.