Malware

More Details on the XcodeGhost Malware and Affected iOS Apps

Clock Icon 6 min read

A few days ago, we investigated a new malware called XcodeGhost that modifies Xcode, infects iOS apps and is seen in the App Store. We also found more than 39 iOS apps were infected, including versions of some pretty popular apps like WeChat or Didi, potentially affecting hundreds of millions iOS users. We also analyzed XcodeGhost’s remote control functionalities that can be used by attackers to phish or to perform further attacks. In this post we will discuss a few more details since learned about XcodeGhost and its behavior.

Actions to Stop the Attack

Since our post on September 18, Palo Alto Networks has cooperated with Apple, Amazon and Baidu to share samples, threat intelligence and research. All of them have taken actions to stop the attack or to mitigate the security threat.

Starting September 18, Apple began to remove some iOS apps infected by XcodeGhost from its App Store. Apple also sent an email to affected developers, guiding them to recompile their products by official Xcode, and to re-submit again. Apple has acknowledged XcodeGhost as malware and that it has affected the App Store.

xcode 1

Figure 1. The "Railway 12306" were temporarily removed in App Store

Amazon has also taken action, including to shutdown all C2 servers on Amazon Web Services that XcodeGhost was seen to have used to upload privacy information and dispatch controlling commands.

Baidu has removed all malicious Xcode installers from its cloud file sharing service, making it much harder for a developer to download an infected Xcode unintentionally.

As of this writing, on Monday, September 21, we notice that there are still some previously known infected iOS apps available in App Store, among them China Unicom Mobile Office version 3.2.(Figure 2).

xcode 2

Figure 2. An infected app is still available in App Store in Monday morning

More Infected Apps Disclosed

In the last few days, other security companies claimed many more iOS apps being infected by XcodeGhost. For example, Qihoo 360 listed 344 infected apps in their blog. Pangu Team claimed detection of 3,418 different iOS apps being infected.  Pangu Team also released an iOS app to detect the trojanized iOS apps they’ve found.

We have not verified their results. However, considering that the malicious Xcode installers were spread since March 2015, the C2 servers also launched in March, and search engines’ results were polluted, it wouldn’t be surprising if the affected number of iOS apps is far greater than we thought.

More Technical Analysis

Xcode Modification

The most novel attacking technique in XcodeGhost is the modifications to Xcode compiler. This idea itself is not a new one. According to The Intercept’s report on documents disclosed by Edward Snowden, for example, the TCB Jamboree 2012 conference included a presentation called “Strawhorse: Attacking the MacOS and iOS Software Development Kit”.

In this presentation, researchers from Sandia Notional Laboratories presented the idea of attacking the Xcode to infect apps on both iOS and OS X. Note that The Intercept reported this presentation in March 10, 2015 – the same month XcodeGhost was launched.

xcode 3Figure 3. Document leaked by Edward Snowden showed the same attacking method

In our September 17 report, we introduced that XcodeGhost added malicious “CoreServices” object files to those Xcode installers. When developers using infected Xcode to compile an app, the linker will link these malicious object files to the app’s executable file. How is this accomplished?

By analysis, XcodeGhost also modified this file in Xcode to control the linker:

  • Xcode.app/Contents/PlugIns/Xcode3Core.ideplugin/Contents/SharedSupport/Developer/Library/Xcode/Plug-ins/CoreBuildTasks.xcplugin/Contents/Resources/Ld.xcspec

In Xcode, this Ld.xcspec file contains configurations used by the ld linker. In the end of this file, the definition of the “DefaultValue” variable was changed by XcodeGhost by appending a string of:

  • -force_load $(PLATFORM_DEVELOPER_SDK_DIR)/Library/Frameworks/CoreServices.framework/CoreServices

xcode 4

Figure 4. XcodeGhost modified the Ld.xcspec file

Using this method, the malicious object file will be forcibly linked to target executable file. This modification won’t be showed in Xcode’s user interface but will be listed in the compiling logs.

Prompting Alert Dialog

In previous reports, we discussed that XcodeGhost’s malicious code can be used for phishing by prompt deceptive alert dialog with built-in remote control functionalities. Here we actually made a mistake in our initial reporting. In the current version of the code, XcodeGhost cannot be directly used to phish iCloud passwords. However, by changing a few simple lines of code, it can do that. .

In iOS, if an app prompts a dialog by the UIAlertView class, there’s a property alertViewStyle to specify which kind of dialog it wants to show. For example, if a password input dialog is needed, the property should be assigned to UIAlertViewStyleLoginAndPasswordInput. If the iOS developer didn’t specify any value, by default the dialog will have no input form but is just an alert with message and buttons.

We checked all versions of malicious files in XcodeGhost we have available, and didn’t find any one of them specified this property when prompting the alert dialog. Hence, current XcodeGhost cannot be directly used for iCloud password phishing.

xcode 5

Figure 5. XcodeGhost didn't specify alertViewStyle property

However, it’s pretty easy for the author to add an alertViewStyle value and a delegate to handle user’s input. In this way, XcodeGhost can be used to phish any kind of password.

Potential Vulnerability in XcodeGhost

XcodeGhost used HTTP to upload information and receive C2 commands. The content in these HTTP requests and responses were encrypted by DES algorithm in ECB mode. It’s also not hard to find the encryption key in its code by reverse engineering.

Consider that HTTP traffic can be hijacked or faked in many ways. There’s a vulnerability in the infected iOS apps whereby the malicious code in them can be controlled by any man in the middle. By exploiting this vulnerability, an attacker can construct any URL in any scheme and control infected apps to open, or prompt an alert dialog for further attacks.

Note that although the malware’s C2 servers were shutdown, this vulnerability still exists and can be exploited in all affected iOS devices.

Security Suggestions to iOS Users

iOS users can install Pangu Team’s app (by directly visiting x.pangu.io in iPhone or iPad) to detect whether their installed apps were infected. If there is any infected app, we suggest users temporarily delete it until there is an updated version available from its developer.

Two more actions will also be helpful to mitigate potential attacks or exploitation in further. One is to enable two-step verification for your Apple ID, and the other is to avoid using untrusted WiFi network.

Even with all of these steps, it’s still a challenge for iOS users to protect themselves from this kind of malware. The attention this has received will hopefully incent Apple and developers to prevent similar attacks in the future.

Suggestions to iOS and OS X Developers

In order to avoid being affected by similar malware in the future,  we recommend that all developers should always directly download official development tools from official channels. This includes downloading Xcode, SDKs and the Command Line Tools from Apple’s websites or from Mac App Store, and downloading third-party libraries such as Unity3D from their original providers.

Second, we suggest all developers set the Gatekeeper protection level to default value in their Mac computers for development, for integration and for deployment.  To do this, go to System Preferences, Security & Privacy, and set only allowing apps downloaded from “Mac App Store and identified developers.”

Last, we urge iOS and OS X developers check the integrity of their development tools and libraries before a new version of product will be released – every time. This can be done by the “codesign” utility or by hash values checking.

Acknowledgements

Thanks @noar for notifying us the modification in the Ld.xcspec file.

 

Enlarged Image