Apple XcodeGhost Malware More Malicious Than Originally Reported

← Back to Stories (view on slashdot.org)

Apple XcodeGhost Malware More Malicious Than Originally Reported

Posted by samzenpus on Tuesday September 22, 2015 @05:48AM from the how-bad-is-it dept.

An anonymous reader writes: Details were scant when Apple confirmed the XcodeGhost malware had infiltrated the iOS App Store. The company didn't say which specific iOS vulnerabilities were exposed and didn't indicate how its iPhone users were affected. However, a Palo Alto Networks security analyst is reporting that XcodeGhost had been used to phish for iCloud passwords, and more specific details are emerging. According to the Networkworld article: "URLs can be sent to the iOS device and opened. This isn't limited to HTTP and FTP URLs, but includes local URLs, such as itunes:// and twitter:// that iOS can be used for inter-app communications. For example, this could be used to force automatic phone calls to premium phone numbers, which can charge up to $1 per minute in some cases. Some iOS password manager apps use the system clipboard to paste passwords into the login dialog. As another example, the XcodeGhost malware can read and write data in the user's clipboard, which would allow it to snatch a password."

13 of 79 comments (clear)

Min score:

Reason:

Sort:

Why would any developer ever download this? by Anonymous Coward · 2015-09-22 05:56 · Score: 3, Interesting

Seriously. Xcode is beer as in free, yes it used to cost $5 many years ago because of weird accounting but that was a long time ago. Why would anyone ever download Xcode from the Apple Developer web site or the Mac App Store?
1. Re:Why would any developer ever download this? by Anonymous Coward · 2015-09-22 05:58 · Score: 2, Informative
  
  As all the stories clearly said it was because it took a long time to download via official channels so they went with an unofficial one which had local servers and much better speed. In hindsight a bad decision but at least you can see why someone would consider it.
  
  On another topic, the headline is too long. It can be shortened to Apple more malicious than originally reported.
2. Re:Why would any developer ever download this? by k2r · 2015-09-22 06:32 · Score: 2
  
  > Why would anyone ever download Xcode from the Apple Developer web site or the Mac App Store?
  I think the current theory is that the big firewall of china made the download so slow that people used local copies.
3. Re:Why would any developer ever download this? by Hattmannen · 2015-09-22 08:03 · Score: 3, Insightful
  
  Slow download and installation using the official channels does not even begin to describe it. I did some work in Xcode this spring. Two and a half hours it took to install the bloody thing even with a quick and stable connection.
  Two days later I had to install a new update to be able to continue my work. Thankfully that only took slightly more than an hour.
  In hindsight it was a good thing that I didn't grab it from an unofficial source, but man, was it ever so tempting.
  
  --
  People are not wearing enough hats.
4. Re:Why would any developer ever download this? by Gr8Apes · 2015-09-22 11:43 · Score: 2
  
  For doing anything with a Mac, you really need an SSD and 16GB of RAM. Once you have that, OSX works beautifully, and XCode starts up instantly. Without an SSD and plenty of RAM, you're fucked.
  That is true for any system. I ran a cleaned XP on an SSD - it's amazing how fast it is. Same with Win7. Or Linux. Or OS/2 (in a VM even). It's amazing what a 10 fold increase in disk I/O and a 100 fold decrease in latency will do for performance.
  
  --
  The cesspool just got a check and balance.
Actually, the opposite by Rosyna · 2015-09-22 05:57 · Score: 5, Informative

It's actually the opposite. It's much, much less malicious that people say. The source code is available.
For one, it cannot be used for phishing attacks. The UIAlertView is shows has no text input fields and it never attempts to get anything from the dialog other than the integer value of the button that was pressed.
It also cannot get the UDID of the device because it uses -identifierForVendor which is a UUID that is specific to that specific app, so it can't be used to track users. iOS can and will change it.
It can't be used to dial premium services either as iOS always shows a dialog when opening telephone URLs and iOS 9 always shows a dialog when using URLs that open another app. But the fact it can open Twitter so what? It can't do anything with that. It can't control Twitter.
This functionality was actually designed to open the App Store so the user can review/rate the app or to show users similar apps.
It's even significantly less bad than most ad/analytics packages.
1. Re: Actually, the opposite by Rosyna · 2015-09-22 06:25 · Score: 2
  
  It seems you didn't actually bother to look at the source code? It doesn't not attempt to phish anything. I even linked to the precise line of code for the alert creation.
2. Re: Actually, the opposite by Rosyna · 2015-09-22 06:43 · Score: 4, Informative
  
  Because you can verify that it's the same code by simply looking at the disassembly in the Palo Alto Networks articles?
  The author of said article confirmed it was the same source code and updated his post after I pointed out the discrepancy.
3. Re: Actually, the opposite by Rosyna · 2015-09-22 06:45 · Score: 3, Informative
  
  First, I'm not "some poster" and two, I'm suggesting you read the updated article that says phishing is not possible with XcodeGhost.
Re: UUID can be generated by Rosyna · 2015-09-22 07:13 · Score: 2

The name might be (although it's easy to change it to an arbitrary value in Settings -> General -> About and can't really be considered a unique value), but the identifierForVendor is not. It's only the same for apps with the same bundle ID prefix on a device (apps from the same developer). Different infected apps will have entirely different identifiers.
Poor mans ken Thompson attack by goombah99 · 2015-09-22 07:22 · Score: 2

yawn. This is vaguely interesting in the sense it's novel for using a ken Thompson compiler attack. But it's not an apple problem but a cheapskate developer problem . Morons saved themselves $99 dollars and use unsigned non apple compilers. Dumbasses. Apple just figured out there's dumbasses submitting code. Should be easy to detect non official compilers in the future I would think.

--
Some drink at the fountain of knowledge. Others just gargle.
1. Re: Poor mans ken Thompson attack by Anonymous Coward · 2015-09-22 07:39 · Score: 2, Insightful
  
  NO. NO. NO. It isn't even a cheapskate developer problem.
  They did not save themselves $99. They saved nothing except the time it took to download from Apple's servers vs local China servers.
  To submit an app, you have to pay. To download Xcode, you do not have to do so. So if their app is in the app store, no matter where they got the dev environment, they had to pay to submit an app (or any number of apps).
  It is a stupid developer problem, OR a smart Chinese government who slowed downloads via the great firewall enough to get people to download infected local copies.
2. Re: Poor mans ken Thompson attack by Rosyna · 2015-09-22 08:32 · Score: 2
  
  It's not that they were trying to bypass a payment (Xcode is free to download). It's that Apple's severs are just so damn slow if you can't get access to their content distribution network. Sadly, this is pretty much the case of everyone in China due to the Great firewall of China that strangles access to non-China networks.
  It also used to be true if you used Google DNS because previous primary Apple's CDN, Akamai, used DNS to route traffic. In that case, many developers would rather use BitTorrent to grab Xcode than to disable Google DNS.
  The real issue is the fact that these developers disabled Gatekeeper. Gatekeeper would have prevented infection.