XcodeGhost iOS malware leaves China, strikes US enterprises

XcodeGhost, malware tailored for iOS applications, is back with a new twist.
Written by Charlie Osborne, Contributing Writer

A new variant of XcodeGhost has been discovered in the wild, leaving China behind to tackle US companies.

In September this year, researchers discovered malware able to infect legitimate Apple iOS applications. The malicious code, known as XcodeGhost, lurked within at least 4000 legitimate iOS apps offered to the Chinese market, placing millions of users at risk.

The malware was able to hijack apps through the developer toolkit Xcode, which is used to develop software for Apple's ecosystem. By adding the code to Xcode packages hosted on third-party websites rather than Apple domains, cybercriminals were able to bypass Apple's stringent security protocols and infect popular apps such as WeChat, PDF Reader and WinZip without developer knowledge or consent.

Apple reacted immediately to the threat, removing malicious apps from the iOS App Store and improving security features in an attempt to prevent the situation raising its head again.

However, it appears the malware is still as strong as ever.

This week, a new variant of the malware was discovered. Researchers from Symantec say the variant has been found in unofficial versions of Xcode 7. While the iOS development kit should only be downloaded from Apple's App Store or Developer website, some developers chose to find regional sources for quicker download speeds since Xcode is over 4 gigabytes in size -- which paves the way for cyberattackers to take advantage of this trend.

Cyberforensics firm FireEye has monitored the threat posed by XcodeGhost and says the malware has now left the confines of the Chinese market in order to enter into the US enterprise sphere. After monitoring the malware for four weeks, the company says 210 enterprises have been recorded with XcodeGhost-infected apps running inside their networks -- generating over 28,000 attempts to connect to the malware's command-and-control (C&C) servers.

While these servers are not under the attacker's control, FireEye says the traffic could be hijacked to distribute apps outside the App Store, force browsers to malicious URLs and to launch phishing campaigns.

"Some enterprises have taken steps to block the XcodeGhost DNS query within their network to cut off the communication between employees' iPhones and the attackers' CnC servers to protect them from being hijacked," the researchers say.

"However, until these employees update their devices and apps, they are still vulnerable to potential hijacking of the XcodeGhost CnC traffic -- particularly when outside their corporate networks."

The majority of infected enterprise devices recorded, 70 percent in total, have not upgraded to the latest iOS mobile operating system iOS 9. Users are recommended to do so as soon as possible, but this doesn't mean they are completely safe from XcodeGhost.

FireEye says that the developer of the malware has also released a version of the code, called XcodeGhost S, which targets the latest mobile operating system.

"Given the number of infected devices detected within a short period among so many US enterprises, we believe that XcodeGhost continues to be an ongoing threat for enterprises," FireEye continued.

The top industries affected by XcodeGhost in the United States are education, technology and manufacturing.

While downloading the Xcode kit from other sources might be quicker, they are not necessarily verified, and so XcodeGhost lives on.

Before creating iOS apps with Xcode, developers should verify their copy to make sure the software is clean.

Read on: Top picks

Editorial standards