Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple XcodeGhost Malware More Malicious Than Originally Reported

Posted by samzenpus on from the how-bad-is-it dept.

An anonymous reader writes: Details were scant when Apple confirmed the XcodeGhost malware had infiltrated the iOS App Store. The company didn't say which specific iOS vulnerabilities were exposed and didn't indicate how its iPhone users were affected. However, a Palo Alto Networks security analyst is reporting that XcodeGhost had been used to phish for iCloud passwords, and more specific details are emerging. According to the Networkworld article: "URLs can be sent to the iOS device and opened. This isn't limited to HTTP and FTP URLs, but includes local URLs, such as itunes:// and twitter:// that iOS can be used for inter-app communications. For example, this could be used to force automatic phone calls to premium phone numbers, which can charge up to $1 per minute in some cases. Some iOS password manager apps use the system clipboard to paste passwords into the login dialog. As another example, the XcodeGhost malware can read and write data in the user's clipboard, which would allow it to snatch a password."

48 of 79 comments (clear)

  1. Why would any developer ever download this? by Anonymous Coward · · Score: 3, Interesting

    Seriously. Xcode is beer as in free, yes it used to cost $5 many years ago because of weird accounting but that was a long time ago. Why would anyone ever download Xcode from the Apple Developer web site or the Mac App Store?

    1. Re:Why would any developer ever download this? by Anonymous Coward · · Score: 2, Informative

      As all the stories clearly said it was because it took a long time to download via official channels so they went with an unofficial one which had local servers and much better speed. In hindsight a bad decision but at least you can see why someone would consider it.

      On another topic, the headline is too long. It can be shortened to Apple more malicious than originally reported.

    2. Re:Why would any developer ever download this? by k2r · · Score: 2

      > Why would anyone ever download Xcode from the Apple Developer web site or the Mac App Store?

      I think the current theory is that the big firewall of china made the download so slow that people used local copies.

    3. Re:Why would any developer ever download this? by sexconker · · Score: 1

      it used to cost $5 many years ago because of weird accounting

      I bet you also believed the line about OS X updates having to cost money because of the Sarbanes Oxley Act.

      Apple charges what they do because people pay. There is absolutely no accounting or SARBOX voodoo involved.

    4. Re:Why would any developer ever download this? by Hattmannen · · Score: 3, Insightful

      Slow download and installation using the official channels does not even begin to describe it. I did some work in Xcode this spring. Two and a half hours it took to install the bloody thing even with a quick and stable connection.
      Two days later I had to install a new update to be able to continue my work. Thankfully that only took slightly more than an hour.
      In hindsight it was a good thing that I didn't grab it from an unofficial source, but man, was it ever so tempting.

      --
      People are not wearing enough hats.
    5. Re:Why would any developer ever download this? by macs4all · · Score: 1

      Slow download and installation using the official channels does not even begin to describe it. I did some work in Xcode this spring. Two and a half hours it took to install the bloody thing even with a quick and stable connection. Two days later I had to install a new update to be able to continue my work. Thankfully that only took slightly more than an hour. In hindsight it was a good thing that I didn't grab it from an unofficial source, but man, was it ever so tempting.

      I guess you've never installed Visual Studio, then. Even from a DVD it is quite a long process.

    6. Re:Why would any developer ever download this? by phalse+phace · · Score: 1

      Seriously. Why would anyone ever download Xcode from the Apple Developer web site or the Mac App Store?

      So they can get a clean version of Xcode?

    7. Re:Why would any developer ever download this? by Gr8Apes · · Score: 1

      XCode only took 5-10 minutes to download and install, even on a really crappy broadband connection. Yes, it's 1.5GB. But at even 1.5Mbps average download it's just a shade over 2 hours. So how bad exactly was your "quick and stable connection" since every cable and fiber connection advertises speeds in excess of 10 Mbps these days in the US?

      --
      The cesspool just got a check and balance.
    8. Re:Why would any developer ever download this? by Gr8Apes · · Score: 2

      For doing anything with a Mac, you really need an SSD and 16GB of RAM. Once you have that, OSX works beautifully, and XCode starts up instantly. Without an SSD and plenty of RAM, you're fucked.

      That is true for any system. I ran a cleaned XP on an SSD - it's amazing how fast it is. Same with Win7. Or Linux. Or OS/2 (in a VM even). It's amazing what a 10 fold increase in disk I/O and a 100 fold decrease in latency will do for performance.

      --
      The cesspool just got a check and balance.
    9. Re:Why would any developer ever download this? by macs4all · · Score: 1

      The deficiencies of Visual Studio have absolutely zero significance on the shitfullness of the Xcode download/installation/update process

      I was merely trying to point out that IDE installs in general are often kinda long.

    10. Re: Why would any developer ever download this? by Rosyna · · Score: 1

      Slow installation of Xcode? Xcode doesn't have an installer. You either download the app and copy it to wherever via drag and drop or grab it from the Mac App Store.

    11. Re:Why would any developer ever download this? by Plumpaquatsch · · Score: 1

      it used to cost $5 many years ago because of weird accounting

      I bet you also believed the line about OS X updates having to cost money because of the Sarbanes Oxley Act.

      Apple charges what they do because people pay. There is absolutely no accounting or SARBOX voodoo involved.

      Actually, that would be a SEXCONKER OXSHIT ACT issue, because you just made it up.

      --
      Of course news about a fake are Fake News.
  2. Actually, the opposite by Rosyna · · Score: 5, Informative

    It's actually the opposite. It's much, much less malicious that people say. The source code is available.

    For one, it cannot be used for phishing attacks. The UIAlertView is shows has no text input fields and it never attempts to get anything from the dialog other than the integer value of the button that was pressed.

    It also cannot get the UDID of the device because it uses -identifierForVendor which is a UUID that is specific to that specific app, so it can't be used to track users. iOS can and will change it.

    It can't be used to dial premium services either as iOS always shows a dialog when opening telephone URLs and iOS 9 always shows a dialog when using URLs that open another app. But the fact it can open Twitter so what? It can't do anything with that. It can't control Twitter.

    This functionality was actually designed to open the App Store so the user can review/rate the app or to show users similar apps.

    It's even significantly less bad than most ad/analytics packages.

    1. Re: Actually, the opposite by Rosyna · · Score: 2

      It seems you didn't actually bother to look at the source code? It doesn't not attempt to phish anything. I even linked to the precise line of code for the alert creation.

    2. Re:Actually, the opposite by sribe · · Score: 1

      Not informative, in fact disingenuous. Mod down.

      Perhaps you'd like to point out the (alleged) inaccuracies?

    3. Re: Actually, the opposite by Rosyna · · Score: 4, Informative

      Because you can verify that it's the same code by simply looking at the disassembly in the Palo Alto Networks articles?

      The author of said article confirmed it was the same source code and updated his post after I pointed out the discrepancy.

    4. Re: Actually, the opposite by Rosyna · · Score: 3, Informative

      First, I'm not "some poster" and two, I'm suggesting you read the updated article that says phishing is not possible with XcodeGhost.

    5. Re: Actually, the opposite by Rosyna · · Score: 1

      The Network Workd article that is full of inaccuracies. Hell, anyone that's used iOS should know a dialog is shown before any number can be dialed.

    6. Re: Actually, the opposite by sexconker · · Score: 1

      I for one would rather trust a -1 moderated, AC post on /. than any article written by a "security researcher" who has a vested interest in lying.
      In this case, the /. post even makes sense and provides evidence, unlike the "article" we're discussing.

    7. Re: Actually, the opposite by Rosyna · · Score: 1

      Sigh. You do realize that I linked to a newer article that says they made a mistake about the capabilities? You could have at least read thatâ¦

    8. Re: Actually, the opposite by Rosyna · · Score: 1

      Huh? Here's what the article I just linked to says:

      In previous reports, we discussed that XcodeGhostâ(TM)s malicious code can be used for phishing by prompt deceptive alert dialog with built-in remote control functionalities. Here we actually made a mistake in our initial reporting. In the current version of the code, XcodeGhost cannot be directly used to phish iCloud passwords. However, by changing a few simple lines of code, it can do that. .

      In iOS, if an app prompts a dialog by the UIAlertView class, thereâ(TM)s a property alertViewStyle to specify which kind of dialog it wants to show. For example, if a password input dialog is needed, the property should be assigned to UIAlertViewStyleLoginAndPasswordInput. If the iOS developer didnâ(TM)t specify any value, by default the dialog will have no input form but is just an alert with message and buttons.

      We checked all versions of malicious files in XcodeGhost we have available, and didnâ(TM)t find any one of them specified this property when prompting the alert dialog. Hence, current XcodeGhost cannot be directly used for iCloud password phishing.

    9. Re: Actually, the opposite by ilsaloving · · Score: 1

      *pat pat* There there.

      You have the support of people who actually look at code for a living. :)

    10. Re: Actually, the opposite by Rosyna · · Score: 1

      Wait, you seriously said, "Sure, while XcodeGhost doesn't do anything they say XcodeGhost does, a totally different piece of malware could possibly do it in the future. Maybe."?!

      Then in what way would that have anything to do with XcodeGhost, which these articles are about?

      The entire reason an Xcode infected with malware even ran is because the developers that fell for it had to explicitly bypass gatekeeper (Mac OS X's built in anti-malware), which otherwise prevents the infected Xcode from launching.

    11. Re: Actually, the opposite by Rosyna · · Score: 1

      If they had done it, it wouldn't have been the same malware or the same code. These articles are about the actual XcodeGhost malware in the wild. Not some made up version everyone seems to wish existed.

    12. Re:Actually, the opposite by gnu-sucks · · Score: 1

      Ok, I read the article you linked to. Very interesting.

      What I do not understand is how the source code was "found". I understand how to use a disassembler, but that would not yield such readable code.

      Can you comment on this?

      Thanks for linking to the article.

    13. Re:Actually, the opposite by gnu-sucks · · Score: 1

      I think I answered my own question, and the answer is obvious:

      They distributed this malicious program as an SDK with source code inside the Xcode install. So it's not just a binary library that gets linked against, it's the code too. Is that correct?

    14. Re: Actually, the opposite by Rosyna · · Score: 1

      The author of XcodeGhost released the source after they heard what was happening. It includes an apology at the bottom (in Chinese) that makes it seem like it was just a proof of concept and he had no intention of it getting out but was picked up and spread via Baidu by others.

      The PoC angle would explain why it looks so damn much like any other basic analytics package. This is also likely why Apple's app scanners didn't pick it up, it doesn't do anything that's not permitted. The only weirdness is that it tries to hide from the debugger, but that's also done by legitimate apps that use DRM.

      I found about about the code on GitHub from a fellow Mac/iOS developer/reverse engineer. As for getting samples of the actual infected Xcode, the author of the Palo Alto Networks article uploaded it to his DropBox account so others could confirm the findings and detect the malware. That's where I got the infected Xcode from for my own tests.

    15. Re: Actually, the opposite by angel'o'sphere · · Score: 1

      Gatekeeper is not preventing third party apps from launching, it only asks: "look, this is a third party app, downloaded from the internet, do you want to launch it anyway?"
      Guess what I answer: yes!

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    16. Re: Actually, the opposite by Rosyna · · Score: 1

      That Palo Alto article has been updated it now includes

      UPDATE September 21: In the current version of the code, XcodeGhost cannotbe directly used to phish iCloud passwords.

    17. Re: Actually, the opposite by Rosyna · · Score: 1

      So where exactly is the OK or Open button on the dialog I just posted a screenshot of?

    18. Re: Actually, the opposite by k2r · · Score: 1

      checks the signed hash of the application against the current hash and keeps the application from starting if it differs because obviously something altered the application.
      You can override this and it will not ask you again.

      You can configure which kind of signature to accept: Only App-Store Applications or any registered developer.
      Or you can switch it off completely, which is stupid.

      What you mentioned are the file-quarantine extended attributes that are set by Safari et al if a file has been downloaded from the net.
      On the initial run of a quarantined binary this enforces verifying the users intention and a check against a list of known malware.
      Files from some known well-known applications are quarantined per default or developers can turn this feature on for their application.
      This is a measure against unintentional execution of unknown binaries (drive-by-download?) and - again - it can be disabled.

    19. Re: Actually, the opposite by angel'o'sphere · · Score: 1

      Why do you ask? It is a damaged executeable ... or so the dialog says.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    20. Re: Actually, the opposite by angel'o'sphere · · Score: 1

      Or you can switch it off completely, which is stupid.
      Care to explain why? I know what I download from where and can judge how safe it is.

      (drive-by-download?)
      What is that supposed to be?

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    21. Re: Actually, the opposite by Rosyna · · Score: 1

      Why do you ask? It is a damaged executeable ... or so the dialog says.

      Is this some kind of weird, surreal art project of yours? You just asked in response to my post that included a screenshot of the dialog:

      Gatekeeper is not preventing third party apps from launching, it only asks: "look, this is a third party app, downloaded from the internet, do you want to launch it anyway?"
      Guess what I answer: yes!

      There is no OK, Open, or "Yes" button on that Gatekeeper dialog.

    22. Re: Actually, the opposite by angel'o'sphere · · Score: 1

      Yes, and your dialog does not show up because you started a downloaded application, it shows up because the file you try to start is damaged!!!

      So again, what is it you want to say? I don't get it.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    23. Re: Actually, the opposite by Plumpaquatsch · · Score: 1

      So what you're saying is that it was possible, but for some reason the original malware writers decided not to?

      Probably because that would have led to the malware being detected by Apple's app checking, resulting in the loss of bragging rights for "First major malware attack on Apple's App Store".

      --
      Of course news about a fake are Fake News.
  3. Re:Apple is for cows by sexconker · · Score: 1, Troll

    It's not, moron. I don't post AC like you do, and I haven't mooed in a long time because I got bored of it.
    Feel free to peruse my history - I've mooed many times under my name, yet you keep linking to one example as if it were a slip up you "caught".

  4. Re: UUID can be generated by Rosyna · · Score: 2

    The name might be (although it's easy to change it to an arbitrary value in Settings -> General -> About and can't really be considered a unique value), but the identifierForVendor is not. It's only the same for apps with the same bundle ID prefix on a device (apps from the same developer). Different infected apps will have entirely different identifiers.

  5. Poor mans ken Thompson attack by goombah99 · · Score: 2

    yawn. This is vaguely interesting in the sense it's novel for using a ken Thompson compiler attack. But it's not an apple problem but a cheapskate developer problem . Morons saved themselves $99 dollars and use unsigned non apple compilers. Dumbasses. Apple just figured out there's dumbasses submitting code. Should be easy to detect non official compilers in the future I would think.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re: Poor mans ken Thompson attack by Anonymous Coward · · Score: 2, Insightful

      NO. NO. NO. It isn't even a cheapskate developer problem.

      They did not save themselves $99. They saved nothing except the time it took to download from Apple's servers vs local China servers.

      To submit an app, you have to pay. To download Xcode, you do not have to do so. So if their app is in the app store, no matter where they got the dev environment, they had to pay to submit an app (or any number of apps).

      It is a stupid developer problem, OR a smart Chinese government who slowed downloads via the great firewall enough to get people to download infected local copies.

    2. Re: Poor mans ken Thompson attack by macs4all · · Score: 1

      yawn. This is vaguely interesting in the sense it's novel for using a ken Thompson compiler attack. But it's not an apple problem but a cheapskate developer problem . Morons saved themselves $99 dollars and use unsigned non apple compilers. Dumbasses. Apple just figured out there's dumbasses submitting code. Should be easy to detect non official compilers in the future I would think.

      They didn't save themselves $99 (631 Yuan). XCode is FREE; the Developer License costs money.

    3. Re: Poor mans ken Thompson attack by Rosyna · · Score: 2

      It's not that they were trying to bypass a payment (Xcode is free to download). It's that Apple's severs are just so damn slow if you can't get access to their content distribution network. Sadly, this is pretty much the case of everyone in China due to the Great firewall of China that strangles access to non-China networks.

      It also used to be true if you used Google DNS because previous primary Apple's CDN, Akamai, used DNS to route traffic. In that case, many developers would rather use BitTorrent to grab Xcode than to disable Google DNS.

      The real issue is the fact that these developers disabled Gatekeeper. Gatekeeper would have prevented infection.

  6. Re:ZOMG, Apple can have malware by macs4all · · Score: 1

    It is funny, how people believe that Apple somehow protects them from malware. In reality, all the testing done in their appstore concentrates on verifying that apps do not have a mechanism for payments that bypass Apple. Anything is ok as long as Apple gets their cut.

    Citation, hater?

  7. Gatekeeper by k2r · · Score: 1

    The first word would have been

    "Gatekeeper"

  8. Re: UUID can be generated by MatthiasF · · Score: 1

    Having a UUID on a per Application or Developer basis is in fact better for the attacker. Then they can carefully create a phishing dialog that fits in with the design or behavior of that particular App or package and then associate any information garnered from the user to the particular device and app installation.

    Without the altered library inside the actual app, they cannot do this because apps are jailed (or whatever Apple calls it).

  9. Re:ZOMG, Apple can have malware by Ravaldy · · Score: 1

    Don't you hate those haters who can't be impartial?

    Of course all platforms have holes at one point in time. No need to invent some or pray for one just because one's platform of choice is inferior or appears inferior to Apple's or any other for that matter.

    For one, I mostly work in the MS world because that's what I specialized in. Today it's rewarding but I have no trouble pointing out it's weaknesses and other OSs strengths. That's what good tech people do. They advise the best tech for the job.

  10. Re: UUID can be generated by Rosyna · · Score: 1

    They have the app name, there's no reason to do that with a UUID

    But as I mentioned before, there's no phishing support in XcodeGhost as their use of UIAlertView doesn't allow for any text input fields. Even if a different malware tried to phish with a fake dialog, real Apple ID password dialogs on iOS never have a blank entry for the username, it's always part of the dialog text because iOS knows what your Apple ID is. This makes it significantly easier to not be fooled by just taking a cursory glance of the dialog.

  11. The real story is OS X, or something ain't right by Stewie241 · · Score: 1

    The real story is OS X and somehow Apple getting signed code wrong. Maybe some folks had a connection that was super slow and had trouble getting XCode directly from Apple.

    However, presumably, the people using XCode are developers. And somehow, they managed to install software that was presumably not properly signed.

    Which really makes one worry about the state of mobile development.

    On the other hand, the fact that one could build apps, compile them a little bit different and slip them into the app store is a little concerning. Maybe it was the fake XCode author, maybe it was the app developer, but obviously something isn't being sniffed out right during app vetting.