The iOS app store has traditionally been viewed as a safe source of apps, thanks to Apple’s policing of its walled garden. However, that is no longer completely the case, thanks to the discovery of multiple legitimate apps in the iOS app store that contained malicious code, which was dubbed XcodeGhost.
So, how did XcodeGhost happen? Xcode (Apple’s toolkit for developing on their various platforms) has been a challenge for Chinese developers to download from official sources because of its size (multiple gigabytes) and the slow connection speed to Apple’s servers. (For Chinese users, access to sites within China is much faster than sites outside the country.) As a result, many Chinese iOS app developers did not download Xcode from official sources. Instead, they resorted to downloading copies that were hosted on local file-sharing sites and posted in various online forums:
Figure 1. Forum post advertising Xcode copies
Unfortunately, these copies added a new CoreService development framework to replace the original which contained malicious code. As result, every app built with these tools contained the malicious code. The screenshots below show how a malicious URL was added into the code, which would be accessed by the apps created with the malicious tools. The first screenshot is from a modified version of Xcode 6.2; the other is from a modified version of 6.4. The modified version of 6.4 attempts to hide the malicious URL in order to confuse researchers and security software. (The latest version offered for download by Apple is Xcode 7, with a beta for 7.1 available as well.)
Figure 2. Modified version of Xcode 6.2
Figure 3. Modified version of Xcode 6.4
Here are some of the apps which include the XcodeGhost code. However, due to the widespread use of these copies of Xcode downloaded from other sources, other apps may be affected as well. Do take note that the apps in bold text can still be found in the app store.
Faced with pressure, the XcodeGhost author has since released a letter of apology, along with the source code. Looking into the code, we found that aside from leaking information, the code can remotely push apps. Victims will be directed to the designated app in the app store. In addition, XcodeGhost can also be used to send notifications to the user, which can be used for malicious purposes such as fraud and phishing.
Figure 4. Snippet of released source code
Affected Countries and Regions
Based on our monitoring, we found that China is the most affected country. However, the North American region was also hit hard by XcodeGhost. This isn’t that surprising, considering that several apps that are known to have been infected are available outside of China.
Figure 5. Affected countries
Trend Micro detects apps that contain this malicious code as IOS_XcodeGhost.A.
Update as of September 24, 2015, 12:00 P.M. PDT (UTC-7)
In addition to Xcode, we also observed that the Unity library in iOS has also been infected by malicious code named UnityGhost. Unity is a third-party development platform for creating 2D and 3D multiplatform games. The platform is not only used in iOS devices, but on Android, Windows, and Mac OS X systems as well. Consoles like Playstation, and Xbox may also be affected.
In this scenario, the library, libiPhone-lib-il2cpp.a-armv7-master.o was infected with the same tactics, but is connected with different command and control (C&C) servers.
Figure 6: UnityGhost has the same tactics seen in XcodeGhost (seen in Figure 2) but with a different C&C server
As of this writing we have not been able to find apps infected by UnityGhost on any other platform, including Android.
The Unity platform costs a hefty $75 a month for the professional version, which may have prompted cybercriminals to scour through forums in order to download cracked versions. The screenshot below shows that the cracked version is being distributed by the same XcodeGhost author.
Figure 7: Cracked versions of Unity are being distributed by the XcodeGhost author
Hat tip goes out to the Alibaba Mobile Security Team for sharing the UnityGhost sample.