Apple's Chinese App Store gets infected with malware

News by Rene Millman

Great firewall of China causes problems for great walled garden of Apple

Apple has been forced to withdraw some apps from its Chinese App Store after it was discovered that some of them were infected with malware.

It is possibly the first known major breach of the App Store that previously has been known for very tight security. Malware had found its way into apps after developers in China were tricked into using a counterfeit version if Apple's official software for creating apps called Xcode. Developers downloaded the dodgy version of the software from servers inside China rather than from Apple itself. It is thought that around 39 apps are affected.

This meant that hackers were able to add malware called XcodeGhost into the otherwise legitimate apps. This malware could then steal data from unsuspecting users. The apps affected were mainly geared towards the Chinese market, such as Tencent's hugely popular WeChat app and another one for hailing taxi cabs. But others affected also included CamCard, which is widely used outside of China.

According to a blog post by Claud Xiao of Palo Alto Networks, the malicious code that XcodeGhost embedded into infected iOS apps is capable of receiving commands from the attacker through the C2 server to perform actions such as:

  • prompting a fake alert dialogue to phish user credentials,
  • hijacking opening specific URLs based on their scheme which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps
  • reading and writing in the user's clipboard, which could be used to read the user's password if that password is copied from a password management tool.

“Additionally, according to one developer's report, XcodeGhost has already launched phishing attacks to prompt a dialog asking victims to input their iCloud passwords,” said Xaio.

He added that based on this information, “We believe XcodeGhost is a very harmful and dangerous malware that has bypassed Apple's code review and made unprecedented attacks on the iOS ecosystem. The techniques used in this attack could be adopted by criminal and espionage focused groups to gain access to iOS devices.”

In a statement, an Apple spokesperson said: "We've removed the apps from the App Store that we know have been created with this counterfeited software. We are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps."

John Smith, principal solutions architect at Veracode, told that the problem of mobile malware seemed to be more of a problem for Android than iOS.

“In this case it seems to have fallen short,” he said. “One very interesting aspect of this incident is that the developers of the apps had no knowledge that their own code was being used to carry malware – it was the modified development environment (Xcode) that introduced the payload.”

Gavin Reid, VP of threat intelligence, Lancope, told SC that the App Store should still be considered a safe haven from malware.

“Before this unfortunate incident, the App Store had the industry leading track record releasing over a million apps with only five known bad apps. This is due to their strong application verification process – contrast that with open Android policy resulting in daily malware,” said Reid.

Reid added that the problem is unlikely to affect US and European developers as they would download Xcode directly from Apple, “making a repeat of the same problem unlikely."

Paco Hope, principal security evangelist at Cigital, told SC that analysing binaries after they are built or penetration testing web and cloud apps after they are deployed provides limited assurance against vulnerabilities that are egregious and obvious.

“Secure software begins earlier, like when it is designed and developed. And there are no silver bullets, no tools that simply take care of the problem so that the people don't need to do it themselves,” he said.

Olly Berry, head of iOS at Mubaloo, said that the problem was minimal as apps are sandboxed.

“So even if an app is infected, it will only affect that app and in this case, it was only non-sensitive data that could be read anyway. People who say otherwise are only doing so because it sounds sensational and makes them seem more interesting, even if they're spreading false information,” he told SC.

Jens Monrad, systems engineer at FireEye, told SC that this is the same kind of supply-chain attack cyber-criminals have been using for years.

“A common tactic is to weaponise a video game, and then post a pirated copy online. When someone seeks it out and installs it, they open up a backdoor. These supply-chain attacks are always going to be a problem when people take shortcuts in obtaining their software and assume they're getting a true copy,” he said.

Gavin Millard, technical director of Tenable Network Security, told SC that now might be a good time to enable two-stage verification on Apple accounts to reduce the impact if an app manages to swipe credentials. “It's probably also worth upgrading to iOS 9 which has significant security improvements,” he said.

"It's disturbing to think that the offer of a slightly quicker download of a 3GB file was enough to infiltrate a market leading app store and affect up to 500 million users."

Andy Pearch, head of IA Services at Corvid, told SC Magazine that Apple is 20 years behind Microsoft when it comes to security.

“For a long time there has been a myth that Apple devices, smart devices and computers, were not subject to viruses and security attacks. This is not true – Apple imposes development restrictions on its devices that prevent a security ecosystem building up that would help protect users,” Perch said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews