• Unit 42
  • Malware XcodeGhost Infects 39 iOS Apps, Including WeChat, Affecting Hundreds of Millions of Users

Malware XcodeGhost Infects 39 iOS Apps, Including WeChat, Affecting Hundreds of Millions of Users

By

Category: Malware, Threat Prevention, Unit 42

Tags: , , , ,

Yesterday we posted an analysis report on a novel malware XcodeGhost that modifies Xcode IDE to infect Apple iOS apps. In the report, we mentioned that at least two popular iOS apps were infected. We now believe many more popular iOS apps have been infected, including WeChat, one of the most popular IM applications in the world.

After we posted the report, some security companies like Qihoo 360 scanned popular apps in App Store by code analysis; and some iOS developers analyzed some more apps using crowd-sourcing techniques. Several Internet companies such as Tencent, NetEase, and Jianshu, have made statements on their respective affected products..

We checked these apps and list them below in this report. As of this writing, we see 39 iOS apps being infected, some of which are extremely popular in China and in other countries around the world, comprising hundreds of millions users.

The infected iOS apps include IMs, banking apps, mobile carrier’s app, maps, stock trading apps, SNS apps, and games. Among the more well-known apps are WeChat (developed by Tencent); Didi Chuxing (developed by Didi Kuaidi) the most popular Uber-like app in China; Railway 12306, the only official app used for purchasing train tickets in China; China Unicom Mobile Office, which is in use by the biggest mobile carrier in China; and Tonghuashun, one of most popular stock trading apps.

wechat 1

Figure 1. WeChat 6.2.5 is also infected

Some apps are also available from the App Store in other countries. For example, CamCard, developed by a Chinese company, is the most popular business card reader and scanner in many countries (including the US) around the world. (Update Sept. 21: We’ve verified that, while CamCard v6.5.1 in Chinese App Store was infected by XcodeGhost, the older version of CamCard, v5.5.2 found in the U.S. App Store, is not infected.).

WeChat is the most popular IM app not only in China but also in many countries or regions in Asia Pacific. Version 6.2.5 of WeChat is what we have verified to be infected. Tencent has updated to 6.2.6, which removed the malicious code.

Palo Alto Networks is cooperating with Apple on the issue and we also suggest all iOS developers be aware and take necessary actions.

Infected iOS apps

网易云音乐  2.8.3

微信  6.2.5

讯飞输入法  5.1.1463

滴滴出行  4.0.0.6-4.0.0.0

滴滴打车  3.9.7.1 – 3.9.7

铁路12306  4.5

下厨房  4.3.2

51卡保险箱  5.0.1

中信银行动卡空间  3.3.12

中国联通手机营业厅  3.2

高德地图  7.3.8

简书  2.9.1

开眼  1.8.0

Lifesmart  1.0.44

网易公开课  4.2.8

马拉马拉  1.1.0

药给力  1.12.1

喜马拉雅  4.3.8

口袋记账  1.6.0

同花顺  9.60.01

快速问医生  7.73

懒人周末

微博相机

豆瓣阅读

CamScanner

CamCard v6.5.1

SegmentFault  2.8

炒股公开课

股市热点

新三板

滴滴司机

OPlayer  2.1.05

电话归属地助手  3.6.5

愤怒的小鸟2 2.1.1

夫妻床头话  1.2

穷游  6.6.6

我叫MT  5.0.1

我叫MT 2  1.10.5

自由之战  1.1.0

Fox-IT (fox-it.com), a Netherlands based security company, checked all C2 domain names from our reports in their network sensors and has found thousands of malicious traffic outside China. According to their data, these iOS apps were also infected:

WinZip

Musical.ly

PDFReader

guaji_gangtai en

Perfect365

网易云音乐

PDFReader Free

WhiteTile

IHexin

WinZip Standard

MoreLikers2

CamScanner Lite

MobileTicket

iVMS-4500

OPlayer Lite

QYER

golfsense

同花顺

ting

installer

下厨房

golfsensehd

Wallpapers10000

CSMBP-AppStore

礼包助手

MSL108

ChinaUnicom3.x

TinyDeal.com

snapgrab copy

iOBD2

PocketScanner

CuteCUT

AmHexinForPad

SuperJewelsQuest2

air2

InstaFollower

CamScanner Pro

baba

WeLoop

DataMonitor

爱推

MSL070

nice dev

immtdchs

OPlayer

FlappyCircle

高德地图

BiaoQingBao

SaveSnap

WeChat

Guitar Master

jin

WinZip Sector

Quick Save

CamCard v.6.5.1

Comments

  1. 1.866.320.4788 says:

    As usual …

  2. Edward Smith says:

    None of them seem to be apps used at all or generally in the West

  3. Ali says:

    If an Apple iPhone user has downloaded and used one of these infected apps, what is the recommended course of action? What are the potential security risks and what should one do to protect themselves?

  4. Sascha says:

    “SJCAM zone” v2.5.0 are infected!

  5. Paul says:

    Ok but what should I do when having an infected app?

  6. Leslie says:

    Would be nice if the Affected IOS apps was translated to english

  7. Kennete says:

    If you have one of the apps, uninstall immediately.

  8. Thann says:

    As I understand it, the apps not listed in English are local Asian versions of some popular apps (i.e. Localized version of Angry Birds). Ref: arstechnica.

  9. FTP says:

    At least, there’s Winzip used in western countries. It’s my case. That’s a disapointing news to learn that Winzip uses non official Xcode kit :-/

  10. Lolis says:

    I just check in the apple store and WeChat its there… I am confused?????

  11. Anne says:

    If I delete the infected app PDF READER will. Lose all my PDFs files or just the reader? Does this mean I should change my Apple ID as suggested? Do I download a different reader or wait for further news?

  12. geminialpha says:

    APPLE pls generate a tool which inspects all the apps I use!
    APPLE pls generate a tool which inspects all the apps I use!
    APPLE pls generate a tool which inspects all the apps I use!

  13. Ken Goesting says:

    Just uninstalling won’t work well. A factory reset is more like it.

  14. Htet Myat says:

    Checking for My wife account data!!!

  15. Tiger Woods says:

    I used WeChat and look what happened to me…

  16. mohammed says:

    yes yes wechat is infected

Leave a Reply

Your email address will not be published. Required fields are marked *

Get updates on Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit 42

Follow us on