• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Mobile   »   The XcodeGhost Plague – How Did It Happen?

The XcodeGhost Plague – How Did It Happen?

  • Posted on:September 21, 2015 at 8:44 pm
  • Posted in:Mobile
  • Author:
    Ju Zhu (Mobile Threats Analyst)
1

The iOS app store has traditionally been viewed as a safe source of apps, thanks to Apple’s policing of its walled garden. However, that is no longer completely the case, thanks to the discovery of multiple legitimate apps in the iOS app store that contained malicious code, which was dubbed XcodeGhost.

So, how did  XcodeGhost happen? Xcode (Apple’s toolkit for developing on their various platforms) has been a challenge for Chinese developers to download from official sources because of its size (multiple gigabytes) and the slow connection speed to Apple’s servers. (For Chinese users, access to sites within China is much faster than sites outside the country.) As a result, many Chinese iOS app developers did not download Xcode from official sources. Instead, they resorted to downloading copies that were hosted on local file-sharing sites and posted in various online forums:

Figure 1. Forum post advertising Xcode copies

Unfortunately, these copies added a new CoreService development framework to replace the original which contained malicious code. As result, every app built with these tools contained the malicious code. The screenshots below show how a malicious URL was added into the code, which would be accessed by the apps created with the malicious tools. The first screenshot is from a modified version of Xcode 6.2; the other is from a modified version of 6.4. The modified version of 6.4 attempts to hide the malicious URL in order to confuse researchers and security software. (The latest version offered for download by Apple is Xcode 7, with a beta for 7.1 available as well.)

Figure 2. Modified version of Xcode 6.2

Figure 3. Modified version of Xcode 6.4

Infected Apps

Here are some of the apps which include the XcodeGhost code. However, due to the widespread use of these copies of Xcode downloaded from other sources, other apps may be affected as well. Do take note that the apps in bold text can still be found in the app store.

BundleID Version AppLabel
com.51zhangdan.cardbox 5.0.1 51卡保险箱
com.cloud1911.mslict 1.0.44 LifeSmart
cn.com.10jqka.StocksOpenClass 3.10.01 炒股公开课
com.xiaojukeji.didi 3.9.7 嘀嘀打车
com.xiaojukeji.didi 4.0.0 滴滴出行
com.xiaojukeji.dididache 2.9.3 滴滴司机
com.dayup11.LaiDianGuiShuDiFree 3.6.5 电话归属地助手
sniper.ChildSong 1.6 儿歌动画大全
com.rovio.scn.baba 2.1.1 愤怒的小鸟2
com.appjourney.fuqi 2.0.1 夫妻床头话
com.autonavi.amap 7.3.8 高德地图
com.stockradar.radar1 5.6 股票雷达
cn.com.10jqka.TheStockMarketHotSpots 2.40.01 股市热点
com.jianshu.Hugo 2.9.1 Hugo
com.wdj.eyepetizer 1.8.0 Eyepetizer
com.iflytek.recinbox 1.0.1083 录音宝
com.maramara.app 1.1.0 马拉马拉
com.intsig.camcard.lite 6.5.1 CamCard
com.octInn.br 6.6.0 BirthdayReminder
com.chinaunicom.mobilebusiness 3.2 手机营业厅
cn.12306.rails12306 2.1 铁路12306
cn.com.10jqka.IHexin 9.53.01 同花顺
cn.com.10jqka.IphoneIJiJin 4.20.01 同花顺爱基金
cn.com.gypsii.GyPSii.ITC 7.7.2 图钉
com.netease.videoHD 10019 网易公开课
com.netease.cloudmusic 2.8.3 网易云音乐
com.tencent.xin 6.2.5 微信
com.tencent.mt2 1.10.5 我叫MT 2
com.gemd.iting 4.3.8 喜马拉雅FM
com.xiachufang.recipe 48 下厨房
cn.com.10jqka.ThreeBoard 1.01.01 新三板
com.simiao-internet.yaodongli 1.12.0 药给力
com.gaeagame.cn.fff 1.1.0 自由之战

Pushing Apps

Faced with pressure, the XcodeGhost author has since released a letter of apology, along with the source code. Looking into the code, we found that aside from leaking information, the code can remotely push apps. Victims will be directed to the designated app in the app store. In addition, XcodeGhost can also be used to send notifications to the user, which can be used for malicious purposes such as fraud and phishing.


Figure 4. Snippet of released source code

Affected Countries and Regions

Based on our monitoring, we found that China is the most affected country. However, the North American region was also hit hard by XcodeGhost. This isn’t that surprising, considering that several  apps that are known to have been infected are available outside of China.


Figure 5. Affected countries

Trend Micro detects apps that contain this malicious code as IOS_XcodeGhost.A.

Update as of September 24, 2015, 12:00 P.M. PDT (UTC-7)

In addition to Xcode, we also observed that the Unity library in iOS has also been infected by malicious code named UnityGhost. Unity is a third-party development platform for creating 2D and 3D multiplatform games. The platform is not only used in iOS devices, but on Android, Windows, and Mac OS X systems as well. Consoles like Playstation, and Xbox may also be affected.

In this scenario, the library, libiPhone-lib-il2cpp.a-armv7-master.o was infected with the same tactics, but is connected with different command and control (C&C) servers.

Figure 6: UnityGhost has the same tactics seen in XcodeGhost (seen in Figure 2) but with a different C&C server

As of this writing we have not been able to find apps infected by UnityGhost on any other platform, including Android.

The Unity platform costs a hefty $75 a month for the professional version, which may have prompted cybercriminals to scour through forums in order to download cracked versions. The screenshot below shows that the cracked version is being distributed by the same XcodeGhost author.


Figure 7: Cracked versions of Unity are being distributed by the XcodeGhost author

Hat tip goes out to the Alibaba Mobile Security Team for sharing the UnityGhost sample.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: AppleChinaiphonexcodeGhost

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.