Number of XcodeGhost-Infected iOS Apps Rises

An anonymous reader writes: As the list of apps infected with the XcodeGhost malware keeps expanding, Apple, Amazon and Baidu are doing their best to purge their online properties of affected apps, malicious Xcode installers, and C&C servers used by the attackers to gather the stolen information and control the infected apps/devices. China-based jailbreaking Pangu Team claims that the number of infected app is higher than 3,400, and have offered for download a free app that apparently detects the Trojanized apps.

Detects and exploits

[xxxJonBoyxxx]

>> free app that apparently detects the Trojanized apps

"detects and exploits" probably

Re:Detects and exploits

[Junta]

"It's an App!" - Admiral Ackbar

Re:Detects and exploits

[U2xhc2hkb3QgU3Vja3M]

"It's a trap!" - Admiral Appbar

Re:Next...

[TheRaven64]

This is true. I have an Android phone, and I don't even need to go to some 'app store' thingy download malware, it still (3 months after initial public disclosure) is vulnerable to the Stagefright vulnerability, which Google researchers have shown is exploitable from the browser and allows privileged arbitrary code execution. None of this crap from Apple, where you need user action to install this stuff!

Re:Still better than that malware Android

[mrchaotica]

It matters because "IOS" is a different operating system, made by Cisco. Sure, it's clear from context which one is being talked about in this case, but that's not always true.

(On a related note, it was pretty stupid of Cisco to license the trademark.)

Re:Still better than that malware Android

[tlhIngan]

IOS is a walled in garden, closed source, and you have to PAY to be a developer. You have no choice as to your "app store" without jailbreaking your device. This was done to "protect" it's users with a secured, walled in, app store. Clearly this failed

Not anymore. XCode 7 adds the ability to deploy to any personal device for "free".

Quoted because you need a Mac to run XCode.

But as long as you compile the code yourself (way to go - a proprietary OS enforcing open-source!), you can load the code on your phone.

In fact, there are emulators out there (like provenance, gba4ios, etc) that people are using just fine on their iOS devices. All you need to do is get the code from a tarball or git/svn/etc, open in XCode, build and deploy to your iPhone or iPad or whatever.

No, it doesn't qualify as "Free" because the built binary is limited to running on your own devices.

And the iOS sandbox was not breached - the amount of information the malware could access without alerting users was pretty limited anyhow - you could get the date, time, application ID, UUID (which because of advertising, is now different per-app) and a few other things. If the malware tried to access contacts, photos, or GPS, an alert would show up asking if the user wanted to allow or deny the action.

Of course, if said iOS device was jailbroken, then the malware could get way more information because the sandbox would be broken.

As bad as it goes, the infected apps really get less information than a typical app which wants to do in-app advertising.

Re:Still better than that malware Android

[jittles]

As bad as it goes, the infected apps really get less information than a typical app which wants to do in-app advertising.

Unless the infected app is supposed to request permissions for GPS, address book, calendar, photos access, etc etc. If snapchat were to become infected, as an example, they would have access to pretty much every piece of information you can get inside a single app except for the calendar.