Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple XcodeGhost Malware More Malicious Than Originally Reported

Posted by samzenpus on from the how-bad-is-it dept.

An anonymous reader writes: Details were scant when Apple confirmed the XcodeGhost malware had infiltrated the iOS App Store. The company didn't say which specific iOS vulnerabilities were exposed and didn't indicate how its iPhone users were affected. However, a Palo Alto Networks security analyst is reporting that XcodeGhost had been used to phish for iCloud passwords, and more specific details are emerging. According to the Networkworld article: "URLs can be sent to the iOS device and opened. This isn't limited to HTTP and FTP URLs, but includes local URLs, such as itunes:// and twitter:// that iOS can be used for inter-app communications. For example, this could be used to force automatic phone calls to premium phone numbers, which can charge up to $1 per minute in some cases. Some iOS password manager apps use the system clipboard to paste passwords into the login dialog. As another example, the XcodeGhost malware can read and write data in the user's clipboard, which would allow it to snatch a password."

4 of 79 comments (clear)

  1. Actually, the opposite by Rosyna · · Score: 5, Informative

    It's actually the opposite. It's much, much less malicious that people say. The source code is available.

    For one, it cannot be used for phishing attacks. The UIAlertView is shows has no text input fields and it never attempts to get anything from the dialog other than the integer value of the button that was pressed.

    It also cannot get the UDID of the device because it uses -identifierForVendor which is a UUID that is specific to that specific app, so it can't be used to track users. iOS can and will change it.

    It can't be used to dial premium services either as iOS always shows a dialog when opening telephone URLs and iOS 9 always shows a dialog when using URLs that open another app. But the fact it can open Twitter so what? It can't do anything with that. It can't control Twitter.

    This functionality was actually designed to open the App Store so the user can review/rate the app or to show users similar apps.

    It's even significantly less bad than most ad/analytics packages.

    1. Re: Actually, the opposite by Rosyna · · Score: 4, Informative

      Because you can verify that it's the same code by simply looking at the disassembly in the Palo Alto Networks articles?

      The author of said article confirmed it was the same source code and updated his post after I pointed out the discrepancy.

    2. Re: Actually, the opposite by Rosyna · · Score: 3, Informative

      First, I'm not "some poster" and two, I'm suggesting you read the updated article that says phishing is not possible with XcodeGhost.

  2. Re:Why would any developer ever download this? by Anonymous Coward · · Score: 2, Informative

    As all the stories clearly said it was because it took a long time to download via official channels so they went with an unofficial one which had local servers and much better speed. In hindsight a bad decision but at least you can see why someone would consider it.

    On another topic, the headline is too long. It can be shortened to Apple more malicious than originally reported.