Apple Cleaning Up App Store After Its First Major Attack

Reuters reports that Apple is cleaning up hundreds of malicious iOS apps after what is described as the first major attack on its App Store. Hundreds of the stores apps were infected with malware called XcodeGhost, which used as a vector a counterfeit version of iOS IDE Xcode. Things could be a lot worse, though: Palo Alto Networks Director of Threat Intelligence Ryan Olson said the malware had limited functionality and his firm had uncovered no examples of data theft or other harm as a result of the attack. Still, he said it was "a pretty big deal" because it showed that the App Store could be compromised if hackers infected machines of software developers writing legitimate apps. Other attackers may copy that approach, which is hard to defend against, he said.

Re:Duh

[printman]

Um, Xcode is free.

The only thing you pay for is the $99 to distribute applications (through the App Stores or within your organization) - writing and installing your own applications to your iPhone, iPad, Apple Watch, Mac, etc. are all free.

The issue here appears to be limited to developers that are downloading Xcode from unofficial sources which allows their code to become infected.

Re:People are Stupid, exhibit 49284a

Might have something to do with your ISP and their connections. As long as it isn't on a major software release day we can get things extremely quickly from Apple on a university connection. However, downloading from my cable vendor was terrible until I used a VPN connection back to the university, then it was much faster again.

If you're in the US I suspect your connection to Apple will get much better now that they have a few net neutrality rules to follow...

Download once and use USB

[SuperKendall]

You can easily download Xcode, put it on a USB stick, and share it with others. I do that with every build. Using a modern USB3 memory stick it will copy fairly rapidly.

Re:Hard to defend against you say?

[Wrath0fb0b]

The usual method of getting developers to install a backdoored version of an IDE is to make them think they are downloading the legit one. Infect their computers, MITM them. The NSA/GCHQ have many ways to do that, and few developers bother to check file signatures (do Apple even offer them?)

Not only does they offer signatures, but the infected version of xCode will be refused by default unless you modify the default Gatekeeper setting. This is all the more ridiculous because you don't even need to register to download the legit xCode directly from Apple. And of course it's protected in transit by SSL.

Not sure what your FUD is.

[ Yeah, maybe GCHQ is clever enough to infect xCode and still pass Gatekeeper. But this case shows you don't really have to be that smart -- just tell users "you must click here to run this software" and they'll do it, even if that means disabling security checks. ]

Re:Hard to defend against you say?

[nuonguy]

No Evidence?

Really?

No evidence at all?

What would you consider evidence?

That’s why the news from Bitdefender researchers is so alarming. They discovered sophisticated CAPTCHA-bypassing Android malware in Google Play apps.

from http://www.itbusinessedge.com/...

Re:Vetting of apps?

[jo_ham]

Of course Apple have a monopoly on their own products... I'm not sure how you can't see that this is obviously legal.

There's no legal problem with being the only store on a product that you sell, *especially* when Android makes up the bulk of the smartphone market.

So, "how that can even be legal" is that Apple are not a monopoly as far as smartphones are concerned, nor are they leveraging their non-monopoly position in one area to promote their business in another.

Re:Hard to defend against you say?

[AmiMoJo]

It seems that one of the affected parties was Tencent, hardly a small developer and unlikely to be using "dodgy" versions of XCode. It very much appears that they have been the victims of the NSA/GCHQ, targeting applications that are popular with Chinese users.

We know that the NSA has the ability to bypass Apple's OS security checks, because they bragged about it in their catalogue of spy tools that was leaked. So it very much appears that they have either found a way around Gatekeeper or managed to steal one of Apple's private keys to sign their malware with.

SSL is no protection, unfortunately, when your opponent can make fake SSL certificates. That's why Google pins its own certs in Chrome, to prevent agencies like the NSA and GCHQ using fake ones signed by hacked/coerced registrars. Again, leaked documents show that this is a tactic they have used in the past.

I'm not singling out Apple here, they attack everyone more or less indiscriminately. We know that they use similar techniques against Windows, Android and Linux operating systems, and against a very long list of companies.

Re:Hard to defend against you say?

[AmiMoJo]

Sorry, you fell for the media hype. From your very first link:

Both Wallpaper Dragon Ball and Finger Hockey, RiskIQ said, have malware that steals confidential information such as device IDs from infected devices.

So an anti-virus company is spreading alarm that apps can access the device's unique ID and the internet, both things the user has to give it permission for. It's bullshit, they are just making out that you need anti-virus software in order to sell their shitty snake-oil product.

By this standard there are thousands of bits of malware on the Apple app store too, because any app that has permission to read the device's ID and internet access is classed as malicious.

The last link you posted is as close as it comes, but requires the user to download an "innocent" looking game that needs permission to send SMS messages (with a big warning that it may COST YOU MONEY $$$). They found one example, and Google removed it quickly. That's a pandemic all right.