Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple XcodeGhost Malware More Malicious Than Originally Reported

Posted by samzenpus on from the how-bad-is-it dept.

An anonymous reader writes: Details were scant when Apple confirmed the XcodeGhost malware had infiltrated the iOS App Store. The company didn't say which specific iOS vulnerabilities were exposed and didn't indicate how its iPhone users were affected. However, a Palo Alto Networks security analyst is reporting that XcodeGhost had been used to phish for iCloud passwords, and more specific details are emerging. According to the Networkworld article: "URLs can be sent to the iOS device and opened. This isn't limited to HTTP and FTP URLs, but includes local URLs, such as itunes:// and twitter:// that iOS can be used for inter-app communications. For example, this could be used to force automatic phone calls to premium phone numbers, which can charge up to $1 per minute in some cases. Some iOS password manager apps use the system clipboard to paste passwords into the login dialog. As another example, the XcodeGhost malware can read and write data in the user's clipboard, which would allow it to snatch a password."

2 of 79 comments (clear)

  1. Re: Poor mans ken Thompson attack by Anonymous Coward · · Score: 2, Insightful

    NO. NO. NO. It isn't even a cheapskate developer problem.

    They did not save themselves $99. They saved nothing except the time it took to download from Apple's servers vs local China servers.

    To submit an app, you have to pay. To download Xcode, you do not have to do so. So if their app is in the app store, no matter where they got the dev environment, they had to pay to submit an app (or any number of apps).

    It is a stupid developer problem, OR a smart Chinese government who slowed downloads via the great firewall enough to get people to download infected local copies.

  2. Re:Why would any developer ever download this? by Hattmannen · · Score: 3, Insightful

    Slow download and installation using the official channels does not even begin to describe it. I did some work in Xcode this spring. Two and a half hours it took to install the bloody thing even with a quick and stable connection.
    Two days later I had to install a new update to be able to continue my work. Thankfully that only took slightly more than an hour.
    In hindsight it was a good thing that I didn't grab it from an unofficial source, but man, was it ever so tempting.

    --
    People are not wearing enough hats.