September 22, 2015 at 13:25XcodeGhost - malware apocalypto for iOS
Researchers at the famous US security company Palo Alto Networks reported the discovery of many malicious applications on the App Store. This app store is maintained by Apple and is known as the most reliable and secure app distribution center for iOS. The peculiarity of getting malicious applications there was that they were compiled by an illegitimate Xcode tool. Xcode itself is an iOS application development environment that all developers use.
Applications compiled by fake Xcode are called XcodeGhost, and their number, according to the latest data, is in the thousands, and more than a thousand are still leftin the App Store at the moment. ESET antivirus products detect XcodeGhost malware as iOS / XcodeGhost (F-Secure: Backdoor: iPhoneOS / XCodeGhost.A , Sophos: iPh / XcdGhost-A , Symantec: OSX.Codgost ).
The fake Xcode affected Chinese developers, since it was they who were the first to use this tool, deciding not to download it from the Apple developer portal, but to resort to torrents and other unreliable "places" for this. The introduction of malicious code into a legitimate compiled application was carried out at the build stage, when the linker associated the object code of the application with the malicious object code, resulting in an application that for the developer looks completely legitimate, but in fact is already malicious. The resulting application was signed with a digital certificate of the developer and placed on the App Store as legitimate.
The malicious code is XcodeGhost, that is, the one that the linker injected into the legitimate application does not perform any destructive functions for the device, but simply collects statistics about the device and sends it to the attackers' C & C server in encrypted form. A malicious object file whose data was added to a legitimate application was called CoreServices, and it was located in one of the directories of the Xcode framework.
The following files have been added to the compromised Xcode development framework.
Fig. Files added to the Xcode environment that are necessary for successfully linking the program with malicious code (data from Palo Alto Networks).
XcodeGhost specializes only in collecting information about the system.
Fig. XcodeGhost system information collected (Palo Alto Networks data).
Apple has already begun cleaning the App Store from malicious applications, among which there were popular instances.
XcodeGhost was the first mass malware or technology to infect one of the safest OS - Apple iOS. Prior to XcodeGhost, the number of malware for iOS was barely ten, and they were all designed for devices with jailbreak, not to mention that anyone could distribute them through the App Store. The high security level of the latest versions of this mobile OS (DEP / ASLR, sandboxing, rootless, code signing, secure bootchain, binding to the App Store) made it almost completely impenetrable for various exploits and malicious programs.
Applications compiled by fake Xcode are called XcodeGhost, and their number, according to the latest data, is in the thousands, and more than a thousand are still leftin the App Store at the moment. ESET antivirus products detect XcodeGhost malware as iOS / XcodeGhost (F-Secure: Backdoor: iPhoneOS / XCodeGhost.A , Sophos: iPh / XcdGhost-A , Symantec: OSX.Codgost ).
The fake Xcode affected Chinese developers, since it was they who were the first to use this tool, deciding not to download it from the Apple developer portal, but to resort to torrents and other unreliable "places" for this. The introduction of malicious code into a legitimate compiled application was carried out at the build stage, when the linker associated the object code of the application with the malicious object code, resulting in an application that for the developer looks completely legitimate, but in fact is already malicious. The resulting application was signed with a digital certificate of the developer and placed on the App Store as legitimate.
The malicious code is XcodeGhost, that is, the one that the linker injected into the legitimate application does not perform any destructive functions for the device, but simply collects statistics about the device and sends it to the attackers' C & C server in encrypted form. A malicious object file whose data was added to a legitimate application was called CoreServices, and it was located in one of the directories of the Xcode framework.
The following files have been added to the compromised Xcode development framework.
Fig. Files added to the Xcode environment that are necessary for successfully linking the program with malicious code (data from Palo Alto Networks).
XcodeGhost specializes only in collecting information about the system.
Fig. XcodeGhost system information collected (Palo Alto Networks data).
- The current time at the time the data was received.
- The name of the application is XcodeGhost.
- Bundle ID of the XcodeGhost application.
- Type of device and its name.
- Current country and language.
- The current UUID.
- Type of network.
Apple has already begun cleaning the App Store from malicious applications, among which there were popular instances.
XcodeGhost was the first mass malware or technology to infect one of the safest OS - Apple iOS. Prior to XcodeGhost, the number of malware for iOS was barely ten, and they were all designed for devices with jailbreak, not to mention that anyone could distribute them through the App Store. The high security level of the latest versions of this mobile OS (DEP / ASLR, sandboxing, rootless, code signing, secure bootchain, binding to the App Store) made it almost completely impenetrable for various exploits and malicious programs.