Following the successful attack on the iOS App Store this week, in which hundreds (and maybe even thousands) of applications were infected with malware and distributed by the App Store, Apple has published a support document urging developers to validate their installation of Xcode.
We recently removed apps from the App Store that were built with a counterfeit version of Xcode which had the potential to cause harm to customers. You should always download Xcode directly from the Mac App Store, or from the Apple Developer website, and leave Gatekeeper enabled on all your systems to protect against tampered software.
This successful attack on the App Store is fascinating in that it raises a whole number of interesting questions. First, how many applications have been infected with this attack? The number seems to keep on growing – from a few dozen to hundreds and even thousands – and includes several high-profile, popular applications like the Chinese WeChat (installed on virtually every Chinese iPhone), but also popular games such as Angry Birds 2. In fact, according to SourceDNA, several of the infected applications are still live in the App Store.
Second, how many more applications have been infected with other types of malware? If so many popular applications with this malware could be uploaded to and distributed by the App Store, you have to wonder how many more types of malware are currently lurking in the App Store that we don’t know about yet or that haven’t been detected by Apple.
Third – and this isn’t really a question but more of a tongue-in-cheek pondering – does this attack make iOS the least secure mobile operating system? This single attack alone has definitely successfully infected more iPhones than the total number of Android phones that have ever been infected – which I find strangely hilarious. WeChat alone has about 500 million users, and is installed on pretty much every Chinese iPhone, and several other of the infected applications are also hugely popular. Depending on how many people installed the infected updates, and how many of the applications ‘overlap’, we’re definitely looking at millions of infected iPhones, possible even more.
To quote Apple’s own Phil Schiller – “be safe out there”.
What does this malware actually do? Does it compromise root/admin privileges or something?
Nope – it has just access to the data as the unmodified app would have, but it can send this data to any server.
I can’t believe they used that name. Wow, that’s ballsy!
But who’s the Keymaster?
Who pays for an ADC account to submit apps only to download Xcode from a third party.
Supposedly they are developers that had unreasonable long download times from the official servers. Possibly due to the Great Firewall. Even in Europe the transfer speeds from the Apple aren’t exactly impressive.
Here in Denmark when I access data from Microsoft and it originates from Redmond servers the speed is something like 2 mbit because of poor peering agreements across the Atlantic. I’ve never downloaded something from 3rd party due to that, but if it was gigabytes of data and let’s say 512 kbit there’s a high chance I’d be tempted.
Sorry but this is a cut and paste from a previous post but I hope helps to answer your question.
. Hope it also makes it clear why we need an open Internet.
I am currently living in China and the Internet is painful, if you try and use the Internet as is, going outside of China is slow, randomly blocked and unreliable. The effect is that most Chinese users don’t bother to leave China. It is possible to get round this, but it is not easy. I had my own VPN connected to a VPS and this was blocked after a month so I now use a commercial VPN which works but is quite slow (and paid for with foreign currency). Again the effect is most users don’t leave China, which I assume is the intention.
The effect on software in China is that it is appalling, as it relies on pirated, hacked software loaded onto local websites, mainly windows based. Even much Chinese legitimate software, is simply a machine for delivering adware to your computer (I^aEURTMm thinking as I write of an English / Chinese dictionary that uses masses of system resources simply to deliver adverts of scantily clad girls to your computer). The effect is that the Chinese, are used to software horror (it has become normal). Almost no one uses open source tools if you want to partition a computer no one uses gparted or similar, they will use an old, hacked, pirated version of some horrible proprietary software. This is a symptom of a closed web where users are making do with what they have available, rather than being able to engage with the world.
It comes as no surprise that rather than going to Apple’s website to download the Xcode installer, a process that would require a VPN, would be an unreliable download and could take a week or so. They did the normal thing, and got a hacked pirated version, that was easily available from a Chinese website.
So instead of downloading from Apple and, shock, waiting a whole week, that’s like 7 whole days, unbearable, you download potentially unsafe software and then fail to validate it? This excuse does not hold up, I wish people would stop making it.
I don’t think I’ve ever waited more than a day for any download ever, and that was back in the heady days of 56k dialup. a week is a crazy amount of time to have to wait for a download, especially since there’s probably a high risk the download will be corrupted when you eventually do get it together, and I refuse to believe that you’d be happy to wait days for your downloads either. It’s not right of course, but I can totally understand why someone would download from a dodgy website instead, particularly if it’s the same place they already get all their software.
My longest download ever was around 48 hours, Redhat binary and source isos over a modem, quite possibly 28.8kbps at the time. A few days to download an IDE may seem like a long time, but it just isn’t when you actually think about what is going on. If it is going to take more, just contact someone trustworthy to post a dvd with it on to you. Never underestimate the bandwidth…. etc.
I agree the point is not that is acceptable, but that it has become normal. People expect to make do with hacked,cracked, pirated rubbish. I know for many solutions there better open source and legal solutions, but in a closed web can you find them? Remember in China you can’t use Google and yahoo and bing are slow and adjusted try using baidu for a week, then imagine never using anything else.
It’s not like that Apple provides MD5s or SHA1s for Xcode dmgs. What exactly would you want to validate it against?
Gatekeeper warned it was not signed. There is a validation. Apple have also provide command line instructions on how to validate all the individual parts of Xcode as well. Digital signatures validate it. If Apple software is not signed by Apple it is questionable.
The apps have still been subjected to App Store approval, and they haven’t compromised iOS in anyway. The exploit allowed the author to inject code, at build time, into apps built using a compromised Xcode. That’s all bad, but it only allows the author to send very basic system information to his or her server. So it’s really nothing compared to the Stagefright vulnerability, for example. It’s also not as bad as the AFNetworking vulnerabilities that affected many iOS apps. I’d expect better than hysterics from OSAlert.
Quick! Someone get Thom a fainting couch.
Edited 2015-09-22 22:19 UTC
Sorry, but you are in denial. At this point it’s a known fact that:
“the malicious code that XcodeGhost embedded into infected iOS apps is capable of receiving commands from the attacker through the C2 server to perform the following actions:
– Prompt a fake alert dialog to phish user credentials;
– Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps;
– Read and write data in the user^aEURTMs clipboard, which could be used to read the user^aEURTMs password if that password is copied from a password management tool.”
More details here (plenty, in fact):
http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghos…
or, for a (less technical) summary:
http://www.networkworld.com/article/2985228/mobile-security/how-app…
But you know what? I think we’re all missing the point here. I mean, shit happens after all, but in my opinion we should ask ourselves:
1) Why is Apple not publishing an official list of infected apps forcing people to rely on lists published by third parties instead?
2) Why is Apple not contacting customers who have downloaded the infected apps to alert them about the possible dangers?
RT.
Sorry, but that’s just not true.
“Second, Phil Schiller^aEURTMs statement that Apple has no evidence of infected apps getting access to user information has been backed by security researchers who have been analyzing the capabilities of infected apps. Analysis by Appthority (via ArsTechnica) revealed that the code has no ability to display login prompts or request text from users, meaning that it could not fool users into entering iCloud or other login credentials. The apps have the following capabilities, it said:
Send requests to the server (using a fixed timer interval between requests)
The request contains all kinds of device identifiers (like a typical tracking framework)
The response can trigger different actions:
Shows an AppStore item within the app by using a SKStoreProductViewControllerDelegate
Showing an UIAlertView and show the AppStore view depending on which button was tapped
Open an URL
Sleeping for a given time”
XcodeGhost source code;
https://github.com/XcodeGhostSource/XcodeGhost?files=1
Author claims on twitter that all it’s really capable of doing in it’s current form is the equivalent of what most legit analytics apps do all the time, and actually does much less compared to most ad tracking frameworks.
It’s been indicated that the code could be modified to induce a phishing attack (like those pop ups asking for iCloud passwords), but the affected version of Xcode doesn’t seem to contain said modifications.
An app that does something bad – or even a large number of apps – doesn’t make an OS insecure.
If you install malware on Linux as root that goes on to format your root partition you can’t really claim it’s the fault of Linux.
In this case the malware basically engages in phishing attacks to get your credentials for anything from WeChat to iCloud to Gmail, targeting the users of the impacted apps. The malware can’t breakout of the sandbox iOS imposes on apps.
That said, Apple should be filtering these Apps during the review process – certainly at this point. If they are not doing that after they’ve discovered this whats the point of the Apple review process?
THIS!!!!
I bet my balls that Apple spend 99% of the “reviewing time” doing bureaucratic/copyright checks rather than technical ones.
Because if you do a _real_ technical analysis of an application this kind of disasters can hardly happen, you can detect pretty quickly a malicious app.
But let me tell you the real problem: in today’s Enterprise world technical matters are always secondary, nobody cares about technical stuff. We the engineers are the last voice to hear, We are the stupid grumpy people always complaining, They laugh at us… obviously when something really bad happens (hello VW!!) companies realize that sometimes they have to listen to the engineers instead of the PR team.
That’s the REAL and DEEP problem behind these “disasters”. Apple, VW, Cisco or IBM all the same shit.
Edited 2015-09-23 06:32 UTC
I’m not a big believer in the Apple review process.
AFAIK Apple doesn’t do code review and doesn’t do the build based on the source code you provided.
Your app can contain anything, as long as it fits the guidelines.
Edited 2015-09-23 09:18 UTC
No way in hell will I enable Gatekeeper. Sorry Apple, but we’re not all going to pay up for the privilege of developing apps. Go to hell.
What a stupid attitude to have. There is nothing preventing you from developing and running your own apps with gatekeeper enabled. You always have the possibility to bypass gatekeeper if you feel that you can trust a downloaded unsigned app.
What you get in return is protection against tampered apps and an opportunity to stop them before they run. I can’t imagine how this could be a bad thing.
You don’t run everything as root just because it’s a mild annoyance to have to elevate your privileges once in a while, do you?
Gatekeeper works only on downloaded apps. If the bundle does not have the “magic” xattr, like for example your own binary will not have, then the Gatekeeper does not kick in.
It’s quite curious that a technique developed by the CIA has apparently hit a vast number of Chinese users. I am not suggesting a conspiracy but the coincidence is at least ‘interesting’.
Thousands claimed by Pangu, so their list includes apps in jailbreak territory, I assume?
What I’m more interested in are the number of compromised apps in the official App Store. So far, the biggest list I’ve found online contains about 70+ apps (none of which I use, phew!). Anyone have the full list yet, or at least a list with the supposed hundreds (or thousands) of compromised apps?
To add,
PaloAlto recommends an app by Pangu to detect compromised apps on your phone. Seriously, Pangu the jailbreak kings? That’s like jumping out of the frying pan and into the fire. The app requires you to grant trusted access to some “Shenzhen Avaintel Technology”. Yeah, no thanks.
Edited 2015-09-23 02:36 UTC
“WeChat alone has about 500 million users” – most of which will be on Android, right? I doubt there’s half a billion iPhone users in China.
https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
Let me guess, Apple is going to add more crap to their Mac OS X and the hardware to prevent you from running things they don’t want…?
I predict adoption of ‘secure boot’ for Apple hardware.
Apple hardware (iOS) already has secure boot.
Edited 2015-09-23 16:09 UTC
I meant the desktop/laptop machines if that wasn’t clear.