Alert: First Major iOS App Store Breach

Type of Alert: Malware affecting iOS apps.

Main Attack Vector: Named XcodeGhost, the malware has been found in more than 200 popular apps so far. It was contained in an iOS developer’s kit – SDK – that was hosted by an Chinese cloud storage company.

What is Stolen: The malicious code uploads device information and app information to its command and control (C2) server. It is also capable of receiving commands from the attacker [to] prompt a fake alert dialog to phish user credentials; hijack opening specific URLs…which could allow for exploitation of vulnerabilities; [and] read and write data in the user’s clipboard.

Who is Affected: This malware has now been found in more than 200 ipad and iphone apps. Most of these apps are Chinese and are used only in China. Although Chinese hackers are blamed, many apps used in the U.S. were infected. Including Mercury, CamCard, and musical.lyHowever, some of the infected apps are used all over the world. Here’s a list from Palo Alto Networks, who found the malware first.

Description:

From The Wall Street Journal:

Some of the most popular Chinese names in Apple Inc.’s App Store were found to be infected with malicious software in what is being described as a first-of-its-kind security breach, exposing a rare vulnerability in Apple’s mobile platform, according to multiple researchers.

The applications were infected after software developers were lured into using an unauthorized and compromised version of Apple’s developer tool kit, according to researchers at Alibaba Mobile Security, a mobile antivirus division of Alibaba Group Holding Ltd.

The list of recently compromised iPhone and iPad apps includes Tencent Holdings Ltd.’s popular mobile chat app WeChat, Uber-like car-hailing app Didi Kuaidi, and a Spotify-like music app from Internet portal NetEase Inc.
The attack affected more than three dozen apps, according to U.S.-based cybersecurity firm Palo Alto Networks Inc.

The infected apps can transmit information about a user’s device, prompt fake alerts that could be used to steal passwords to Apple’s iCloud service, and read and write information on the user’s clipboard, according to researchers.

Apple said in a late Sunday statement that it had taken steps to address the problem. “To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software and we are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps,” the statement said.

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on print
Share on email