back to article iCloud phishing attack hooks 39 iOS apps and WeChat

Millions of Apple users are at risk from malicious yet legitimate apps uploaded to the official App Store, which are being used in "unprecedented", live iCloud phishing attacks. The 39 identified apps, including WeChat one of the most popular instant messaging clients in the world, were compiled using a malicious version of …

  1. Ian 62

    What hope do we have for the general public to understand computer security, if 'professional' devs are downloading materials for their jobs from unknown and untrusted sources!

    1. MikeGH

      Code Signing

      Surely the download would have been signed by Apple and the fact it wasn't (and the hash didn't match)( should have meant any developer didn't use it.

      1. Dan 55 Silver badge

        Re: Code Signing

        Putting aside the stupidity of a developer downloading XCode from somewhere else which should get them immediately cast out from the Guild of Keyboard Bashers never to return, you'd have to click on the padlock in the corner of the installer window and check the certificate to find out it's been signed by a developer other than Apple.

        Perhaps something which is worth taking out of the hands of Jony Ive. First page, big huge font, "This installation file was signed by: 4pp13, 1nc. who has been a registered developer with Apple for 8 hours. Are you really sure you want to pwn your computer?"

      2. Mike Bell

        Re: Code Signing

        OK, the developers were stupid and reckless to use an unauthorised compiler.

        But... the code it produced still managed to get past App Store security checks. That's a big deal, and Apple will no doubt be smelling the coffee today. What goes into the App Store should be demonstrably kosher, and the use of a fake compiler should be detectable during app submission.

    2. Bob Vistakin
      Facepalm

      Even worse - smug western fanbois wave their ponytails in contentment saying "it's ok, it's only China." But think about this: there was no warning. These apps passed the same stringent human-inspected tests the western app stores do. How to we know this hasn't happened already "over here" and we're just waiting for the big one?

      A walled garden that lets malware in? That's Thinking Different. all right.

    3. This post has been deleted by its author

  2. Sanctimonious Prick
    Alert

    Umm...

    Fuck!

    1. Bob Vistakin
      Headmaster

      Re: Umm...

      You can say that again.

  3. This post has been deleted by its author

  4. TeeCee Gold badge
    Facepalm

    Social engineering?

    They fell for: "Looky!! Is fazter downloady heres in moody cyberlockers[1] for dis ting wot u needs."?

    And these are supposed to be developers who know their stuff?

    God help us. We really are truly fucked.

    [1] Rule 1. If there's a direct download link in a forum post which goes to anywhere with a cavalier attitude to what's shared and it's an executable, caveat emptor (as in test in a VM while wearing rubber gauntlets before letting it anywhere near anything you give a shit about). Then again, if you actually get to the download before your machine's pwned via the browser, you can count that as a win.

    1. Sooty

      Re: Social engineering?

      >>And these are supposed to be developers who know their stuff?

      Unfortunately, I work as support for developers who supposedly know their stuff, when they get stumped by errors such as system is down, make sure it's running before trying this. I have to explain in detail how to start the system they develop the code for.

      I often have to explain in detail basic stuff that anyone employed in the field for more than a day should know inside and out.

      I believe many of them are straight out of university and get a 1 day language primer course before being supplied by the agencies as experienced senior developers. Nothing that the code they generate did strangely would surprise me.

  5. Frank Bitterlich
    Facepalm

    I need the list of affected apps...

    ... just to compile a personal blacklist of app developers whose apps I'll never use or download again.

    Because if their devs are so utterly clueless, their apps are dangerous even without this compromise.

    @TeeZee: God help us. We really are truly f...ed. Indeed.

    1. Britt

      Re: I need the list of affected apps...

      Fair call.

      Probably a good chance they have made apps for Android as well.

      While not using infected code, their lax take on security is universal.

    2. D@v3

      list of affected apps...

      http://forums.macrumors.com/threads/what-you-need-to-know-about-ios-malware-xcodeghost.1918784/#post-21896151

  6. tekatronic

    iOS 9 update??

    If a user already has WeChat on their iPhone, and updates to iOS 9, which in turn means upgrading the WeChat app, does this mean they will be infected?

    It's not clear what the timeline was for the outbreak. Are users who have had WeChat on their phone for 2 years or more safe? Did the "infected" version of WeChat only affect users who recently added the app to their phone?

    Did the virus spread through regular updates? Or only from the app store on new downloads??

    1. DougS Silver badge

      Re: iOS 9 update??

      The timeline was like this:

      Original version of Wechat developed and uploaded to app store, using Apple's tools

      Subsequent versions of Wechat developed and uploaded to app store, using Apple's tools

      Wechat developer follows some random link in a forum for the 4GB Xcode download, instead of downloading from Apple like he should, because the latter is too slow

      Wechat developer compiles version(s) of Wechat using the dodgy Xcode, and uploads them to app store

      So you're fine if you downloaded it two years ago but haven't been updating it. If you update it every time a new version is on the app store, you may have a bad version, since there was a bad version of it on the app store for a while. If the version you have is newer than the one on the app store, you should delete it. If you the version you have is older than the one on the app store, update.

      Simply having it on your phone isn't a problem though, the bad code only affects it while you're running it, and due to the app sandboxing it isn't like it is able to get into your banking app and steal your money.

  7. artbristol

    Cheap CIA knockoff

    Isn't this - backdooring Xcode - exactly what the CIA were planning?

    http://www.theregister.co.uk/2015/03/11/cia_apple_hacking_campaign/

  8. Anonymous Coward
    Anonymous Coward

    For those concerned

    The BBC have now updated this story

    http://www.bbc.co.uk/news/technology-34311203

  9. Version 1.0 Silver badge

    Snowden's Law

    Once you own the compiler then the world is your oyster. I'd be surprised if this is the only example of this type of attack - we just haven't discovered the others yet.

    Snowden's Law - If it's a computer, it is - by definition - insecure.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Meh

      Re: Snowden's Law

      You mean like pwnage in every program compiled using the C compiler from its very beginning? Snowden is far and away not first to make this observation.

  10. DougS Silver badge

    What should Apple do to fix this?

    There are a few things I can think of:

    1) Have some sort of caching server containing the dev tools inside the Great Firewall so downloads are quicker, since that seems to have contributed to the desire to download them from websites instead of directly from Apple.

    2) Have the install process check the integrity of the installation files over the internet with Apple (i.e. make HTTP connection to *.apple.com to grab the signatures of all the binaries) If there's no internet access available at install time, it will try to do that check later - and will NOT allow using a developer key to sign the compiled binaries (required for app store submission) until this has been verified.

    Anyone think of anything else?

    1. Dan 55 Silver badge

      Re: What should Apple do to fix this?

      Have the developer upload the source code and resources and Apple compiles them.

      1. DougS Silver badge

        Re: What should Apple do to fix this?

        I think some devs would be a bit put out by such a requirement, and their lawyers would hate it as it would open them up to potential copyright lawsuits if Apple added functionality to iOS that bears any resemblance to what a submitted app does. Can you imagine Microsoft submitting source code for Office to Apple?

        Apple is requiring apps for the Watch be submitted as LLVM bitcode, which is semi-compiled format that might (or might not, I really don't know) avoid this sort of attack since Apple would do the final compilation to machine code. It would also allow them to re-optimize the code to improve app performance or fix issues by compiler bugs. Maybe they'll start requiring that for iOS apps eventually, but requiring source code, no way they ever will.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019