Thousands of Apple-Authenticated Apps Infected by Malware: How Did This Happen?

Thousands of malware infected apps have tricked their way past Apple’s security systems and made their way into Apple’s App store, in what has been described as the first major attack on the store itself.

Apple are famous for a few things – innovation, closed platforms, and stringent security measures that developers often find hard to work with, but work with them they must. It’s always been Android who have suffered from a bad reputation for security, and not for any small reason – today by far the vast majority of malware exists on Android’s operating system.

However, in the last couple of days more and more alarming news is emerging about ‘XCodeGhost’ which is a trojanised, malicious version of Apple’s iOS developer tool called XCode. App developers need to download and use XCode in order to get their apps into Apple’s store and available to users.

XCode is free for developers, but is a notoriously large file which takes a while to download. Someone (reports are tracing this hack back to Chinese cybercriminals) made an ‘adapted’ version of XCode and marketed it as locally available from Chinese servers, and therefore it would be faster to download. It was spread on popular developer forums with this message.

The problem was, there were other intentions besides helping developers to download the file faster. It was laced with malware, but the malware was hidden in such a way that Apple’s security measures didn’t pick it up. Sophos believe this is because the malware was ‘buried in parts that looked like Apple-supplied components…Apple let many of these apps through App Store validation, presumably because the parts complied from the vendor’s own source code were fine.” (From their Naked Security blog post)

So, app developers using the trojanised version of XCode would then successfully add their apps to the app store (by the way the apps themselves were completely legitimate – reports say the Chinese version of Angry Birds 2 is one of the affected ones) and users would download them, thinking the process was all very normal.

Initially it was thought that only 39 apps were carrying the malware, but it has since been revealed by security researchers FireEye that the figure is more than 4000.

What was the malware designed to do? Well as usual it’s the end user who is at risk here, as anyone who downloaded an infected app could theoretically have their credentials, usernames and passwords stolen and sent to servers ran by the hackers. Here’s the official word from FireEye:

“The malicious apps steal device and user information and send stolen data to a command and control (CnC) server [and] also accept remote commands including the ability to open URLs sent by the CnC server.

These URLs can be phishing webpages for stealing credentials, or a link to an enterprise-signed malicious app that can be installed on non-jailbroken devices.”

Apple were against the clock to remove all the infected apps, and told the BBC what they were doing about the infiltration:

“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” said Apple spokeswoman Christine Monaghan.

“We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps,”

So what are the main issues here?

Well first of all some blame has to go to the developers who downloaded the unofficial version of XCode. The old saying, ‘If something sounds too good to be true, it probably is,’ should have rang a bell here.

I’m sure the developers would be horrified to learn that their apps carried malware inside them (not to mention the fact that they’ll now have to rebuild them), but they didn’t use an authentic source in which to build them in the first place.

Second of all how much blame can be placed on Apple? Sophos say that in the future Apple ‘should assume a completely hostile environment for all parts of all apps submitted to the App Store’.

And this is the thing – the biggest issue when it comes to IT Security is letting people in through the back door. You can have the greatest security system in the world, but if you leave the key under the plant pot then people are going to find a way in eventually.

I talked about this is a presentation I gave last week to our customers as part of a Sophos roadshow event – you can see highlights of this event in the video below, which includes a rundown of what hackers are targeting within businesses, and how they’re going about it today.