Yesterday we posted an analysis report on a novel malware XcodeGhost that modifies Xcode IDE to infect Apple iOS apps. In the report, we mentioned that at least two popular iOS apps were infected. We now believe many more popular iOS apps have been infected, including WeChat, one of the most popular IM applications in the world.
After we posted the report, some security companies like Qihoo 360 scanned popular apps in App Store by code analysis; and some iOS developers analyzed some more apps using crowd-sourcing techniques. Several Internet companies such as Tencent, NetEase, and Jianshu, have made statements on their respective affected products..
We checked these apps and list them below in this report. As of this writing, we see 39 iOS apps being infected, some of which are extremely popular in China and in other countries around the world, comprising hundreds of millions users.
The infected iOS apps include IMs, banking apps, mobile carrier’s app, maps, stock trading apps, SNS apps, and games. Among the more well-known apps are WeChat (developed by Tencent); Didi Chuxing (developed by Didi Kuaidi) the most popular Uber-like app in China; Railway 12306, the only official app used for purchasing train tickets in China; China Unicom Mobile Office, which is in use by the biggest mobile carrier in China; and Tonghuashun, one of most popular stock trading apps.
Figure 1. WeChat 6.2.5 is also infected
Some apps are also available from the App Store in other countries. For example, CamCard, developed by a Chinese company, is the most popular business card reader and scanner in many countries (including the US) around the world. (Update Sept. 21: We've verified that, while CamCard v6.5.1 in Chinese App Store was infected by XcodeGhost, the older version of CamCard, v5.5.2 found in the U.S. App Store, is not infected.).
WeChat is the most popular IM app not only in China but also in many countries or regions in Asia Pacific. Version 6.2.5 of WeChat is what we have verified to be infected. Tencent has updated to 6.2.6, which removed the malicious code.
Palo Alto Networks is cooperating with Apple on the issue and we also suggest all iOS developers be aware and take necessary actions.
Infected iOS apps
滴滴打车 126.96.36.199 - 3.9.7
我叫MT 2 1.10.5
Fox-IT (fox-it.com), a Netherlands based security company, checked all C2 domain names from our reports in their network sensors and has found thousands of malicious traffic outside China. According to their data, these iOS apps were also infected: