back to article XCodeGhost iOS infection toll rises from 39 to a WHOPPING 4,000 apps

The number of XCodeGhost-infected iOS apps, initially pegged at 39, has ballooned to more than 4,000. The staggering increase was the handiwork of analysis by FireEye researchers who said that the apps were being hosted on the official Apple App Store. "Immediately after learning of XcodeGhost, FireEye Labs identified more …

  1. I_am_Chris

    Google Play immune?

    "The more rigorous testing regime required before an iOS app can be published has always been considered to be the reason for this difference, but in this case it seems to have fallen short."

    Although the above statement is true, how do we know that the Play Store isn't similarly affected? Has anyone thought to do a similar scan there?

    1. Anonymous Coward
      Anonymous Coward

      Re: Google Play immune?

      Play has had plenty of compromised Apps in the past, so don't feel left out if you own an Android device.

    2. Bob Vistakin
      Holmes

      Re: Google Play immune?

      Its this "rigorous testing" which puzzles me. The whole thing sounds really phishy (sorry). What I mean is, say you find an app with malware. How can you tell if that malware has been added unknowingly by infected build tools, or knowingly by an evil developer using legit tools? Apps are apps, and do things apps do as per any software no matter how they were created. What on earth can an infected build tool do to an app that a sneaky developer can't, to the extent it waltzes through Apples defenses this way?

      1. Indolent Wretch

        Re: Google Play immune?

        the "rigorous testing" has always puzzled me more than that. Apps are apps and determining what is malware and what is the normal functioning of the app is a very fine line. Reading some phone information and transferring it via the Internet is hardly an unusual scenario for any app.

        It's not like Apple have a crack team of security experts decompiling the code. The apps are being checked for basic functionality, carefully checked to ensure market rules are followed and Apple gets their cut and run through an automated scanner to show anything "dodgy". That "dodgy" detector can't be the hardest thing to avoid especially if you aren't using off the shelf malware libraries.

        1. Bob Vistakin
          Facepalm

          Re: Google Play immune?

          Yeah, and as usual it turns out Apple were telling David Hamerons when it comes to how serious things are. Reports of how bad the malware really is are coming out now, as well as the 4k+ numbers as reported by El Reg.

        2. Anonymous Coward
          Anonymous Coward

          Re: Google Play immune?

          Apple certainly doesn't have a crack team of security experts decompiling the code, they (and Google and Microsoft) have automated static code analysis tools that do this and check for malicious behaviour.

          1. anonymous boring coward Silver badge

            Re: Google Play immune?

            Yeah, but they do have a "crack team of security experts" that make the static code analysis tools.

            I bet these security experts are quite busy at the moment.

            1. Mark 85

              Re: Google Play immune?

              Sort of reminds one of the phrase "top men" and where that image came from, doesn't it?

    3. PassiveSmoking

      Re: Google Play immune?

      The simple answer is we don't. It's entirely possible that there's a malicious version of the Android dev tools floating around, probably in some nation where downloading it from an official source is problematic due to firewall restrictions or the quality of connections simply being crappy.

    4. Jeffrey Nonken

      Re: Google Play immune?

      If it turns out that Google Play is similarly infected, I'm sure Apple will sue them for copying core functionality or user experience or something.

  2. Known Hero
    Joke

    So WTF! everything about apple is better now ???

    Their walled garden, their apps, their lives .. Even their malware !!!

    On a serious note, to keep that kind of infection & data harvesting under wraps is pretty damn clever.

  3. tirk
    Unhappy

    Not entirely surprised

    I thought it would be much bigger than the original 50 or so when I saw that list included WinZip. I suppose I can see how a Chinese small developer might end up downloading Xcode from a dodgy Chinese language site, but WinZip is from Corel, who are Canadian.

    Outsourcing development, perhaps??

    1. Joerg

      Re: Not entirely surprised

      " tirk

      Unhappy

      Not entirely surprised

      I thought it would be much bigger than the original 50 or so when I saw that list included WinZip. I suppose I can see how a Chinese small developer might end up downloading Xcode from a dodgy Chinese language site, but WinZip is from Corel, who are Canadian.

      Outsourcing development, perhaps??

      "

      Only a criminal would download XCode not from Apple servers.

  4. Ralph B

    Change Your Password

    According to MacRumours: iOS users should immediately uninstall any infected iOS app listed here on their devices, or update to a newer version that has removed the malware. Resetting your iCloud password, and any other passwords inputted on your iOS device, is also strongly recommended as a precautionary measure.

  5. MassiveBob

    Apple Pie

    The image I have is of the pie chart that Apple CEO Tim Cook used at the WWDC - which showed that Android had 99% of the mobile malware market.

    I wonder how much of that pie Apple has eaten away at because of this malware outbreak??

    1. Joerg

      Re: Apple Pie

      " MassiveBob

      Apple Pie

      The image I have is of the pie chart that Apple CEO Tim Cook used at the WWDC - which showed that Android had 99% of the mobile malware market.

      I wonder how much of that pie Apple has eaten away at because of this malware outbreak??

      "

      And no one wonders who is behind all this XCode scam, uh ?

      Any legit developer would have no reason to download and install any XCode copy from servers that wouldn't be the official Apple ones.

      Competitors are trying to attack Apple with this mess they created on purpose.

      It is just so obvious.

      1. Steven Raith

        Re: Apple Pie

        "Competitors are trying to attack Apple with this mess they created on purpose.

        It is just so obvious."

        So it's either a carefully considered piece of corporate espionage inflicted by Apples competitors....or, more likely, someone saw a a company crowing about being malware free, a subsequently naive userbase and developer base who get to hand off security responsibility to the publishers, and thought "hey, I wonder if that'd work....lets try it" before throwing together a hokey copy of xcode and pushing it up on torrent sites.

        Clever? No doubt. Chances of it being Google behind it? Somewhere between hilariously slim and absolutely fuck all.

        Steven R

        1. Mark 85

          @Steven R -- Re: Apple Pie

          For how many years have we heard the fanbois yelling about how secure their equipement and software was? For how many years have we heard that the share of the market by Apple wasn't worth the effort in the target-rich environment that is Windows?

          Well, that particular buzzard has decided the Apple market is worth cracking. I agree with you on it not being a competitor and I'll add, not a TLA. Just market forces in the malware world at work have finally set their sights on Apple. At some point, Linux will be a target.... Android already is one.

      2. MassiveBob

        Re: Apple Pie

        @Joerg

        And no one wonders who is behind all this XCode scam, uh ?

        It could be anyone really.

        It could be the US Government eavesdropping on the Chinese.

        Equally, it could be the Chinese Government testing out a new weapon on their own people before unleashing it out on to the world.

        Post anonymously? ....Whoops

      3. Vic

        Re: Apple Pie

        It is just so obvious.

        Something round here certainly is...

        Vic.

      4. W.O.Frobozz

        Re: Apple Pie

        That's right. It HAS to be someone else. A nefarious competitor. It's NEVER Apple's fault. Ever. Google is just so jealous that they hired a chinese hacking team to compromise Apple tools. Sure. Must be. Apple is perfect. Steve is perfect. All hail Steve.

  6. anonymous boring coward Silver badge

    I don't see why the Android IDE couldn't be compromised just as easily as Xcode?

    Perhaps it has already. Or, Android is so easy to crack that it hasn't been necessary yet.

    1. Thecowking

      Android Studio is Apache licensed, so you can see the source. And crucially you can get it from mirrors easily enough and check the MD5.

      It's also much smaller, which helps.

      1. tirk
        Facepalm

        "And crucially you can get it from mirrors easily enough and check the MD5."

        It appears that plenty of developers were happy to download XCode from dodgy Chinese sites without any checks. Are you really suggesting that all Android devs are likely to be different? Unless they are, the same attack vector exists, and no amount of Apple-bashing denialism changes that.

        1. Indolent Wretch

          Re: "And crucially you can get it from mirrors easily enough and check the MD5."

          Whenever Android has any sort of hack it gets bashed to bits by people desperate for walled gardens.

          I don't think anybody here is suggesting that Android is immune or that Android devs are all super hackers clued up to the max on security.

          Neither do I think that pointing out that the perfect walled garden of security heaven was in the end just as vulnerable to hacks albeit possibly needing more effort is not Apple bashing denialism.

          Human vectored attacks like this are always a possibility, speaking as someone who has had to download that monstrosity of an Xcode development kit more than once and imagining what some of these devs in China have for an Internet link I'm not surprised the lure worked.

        2. Thecowking

          Re: "And crucially you can get it from mirrors easily enough and check the MD5."

          It was asked if there was any reason the Android IDE couldn't be cracked in the same way. Whether the way is used is not the question asked. It's not an anti-Apple polemic, just an answer to a question.

      2. Joerg

        "

        Android Studio is Apache licensed, so you can see the source. And crucially you can get it from mirrors easily enough and check the MD5.

        It's also much smaller, which helps.

        "

        Really nonsense.

        1. Thecowking

          Joerg: what was nonsense that I wrote?

          If I have something wrong with the licensing terms and verifiability of the tools I use, I'd like to know. So if you can enlighten me as to the error, I'd be grateful.

        2. Brewster's Angle Grinder Silver badge

          @Joerg You're brining the tone down, and that's a really hard thing to do round here. Even Eadon had comedy value; you're just a stuck record.

      3. anonymous boring coward Silver badge

        It's a good answer, but surely it wouldn't be hard to spread some doctored Android Studio and some fake MD5 hashes around? Infiltrate Github or wherever they keep the source.

        1. Thecowking

          You could drop fake MD5's around, but if you've gone to the trouble of checking an MD5, you'd do it from the Google site.

          I doubt that Google would accept a pull request from a random contributor to their repo without at least a cursory audit. You could, however, just host a mirror with a compromised binary, most people really won't check.

  7. Joerg

    Who is behind this scam? Competitors indeed...

    This is a criminal act. Only competitors would gain something out of this mess they created on purpose.

    In order to get any illegal authorization key to work on XCode there is need for someone inside Apple doing the dirty job and allowing those keys to be authorized so that a fake infected XCode with the virus can be used.

    Then the same criminals inside Apple working for competitors would do more dirty job so that any of those illegal apps with the virus sent to Apple would pass both automatic and manual reviews with no warnings at all.

    That is the only way all this scam could have been done. And it is what happened. Clearly.

    Apple must sue everyone involved, ban everyone invloved and find out who is behind all of this.

    1. anonymous boring coward Silver badge

      Re: Who is behind this scam? Competitors indeed...

      Are you pointing a finger at Xiaomi or Samsung? ;-)

      Xcode was compromised (in separate binaries distributed not from Apple), there really was no need for any insider within Apple.

    2. Grikath
      Devil

      Re: Who is behind this scam? Competitors indeed...

      Well tried, Joerg... But still no Eadon..

      Needs more formatting and frothing..and... emphasis..

      But here's a cookie for the attempt.

  8. Alan Denman

    The more rigorous testing regime =

    faboys say so.

    Anyway, nothing whatsover is a problem, the worst that can be said is that it is a feature.

  9. Bota

    I can't wait to share this..

    With my classmate who just last week was telling me "because Apple care about their users, not like Google there would never be a huge pawning of the app store".

    I'm on the way to class now as it goes. A small part of me inside is smiling.

    P.S I don't care what you may or may not own, but when you wave it at everyone announcing it can heal the world and anyone who doesn't have one must hate children, dogs and progress I take issue.

    1. Anonymous Coward
      Anonymous Coward

      Re: I can't wait to share this..

      Annoying, of course, when someone seems to brag. But I think they do have some reason to feel good about their Apple kit anyway. Apple does in fact care a great deal about their customers, and their own reputation of course.

      Android IS fragmented into phone manufacturer versions, and carrier versions, which makes the update process slow, or non-existent. But Android phones can be had for a lot less, which is a huge plus for many.

      In comparison, if you have a relatively new (4S, anchient for some I suppose) iPhone you still get the latest iOS updates promptly. So generally iPhones hold their value better.

      Someone correct me if I'm wrong, and some Android phone manufacturer matches Apples update and patch frequency, and on older phones?

  10. Crazy Operations Guy
    Joke

    Couldn't happen to Windows Phone

    Someone would notice that there are 4000 apps in the store...

  11. Crazy Operations Guy

    Wasn't HTML5 supposed to fix all this?

    I thought that one of the goals of HTML5 was so that complex apps could be coded in a platform-agnostic way. What ever happened to that?

    1. rvt

      Re: Wasn't HTML5 supposed to fix all this?

      HTML5 uses javascript... cool, but not if you need to have some performance out of a app, even if it's just for simple animations like next screen and all that.

      I have tried some of the more famouse HTL5 app developer tools and they all don't give that nice native user experience you get when you code in the phone's 'native' language.

      Each time you click something in a HTML5 app you just notice that slight delay, that little hickup.

      Sure sure, it's possible to make very fluid HTML5 apps, but that's much harder to do then in it's native form. For one, if you program natively you can execute multiple threads by FAR easier then using HTML5 and javascript.

    2. Brewster's Angle Grinder Silver badge

      Re: Wasn't HTML5 supposed to fix all this?

      rvt begins to answer the question: idots can't write great apps with zero effort.

      A second problem is the Android legacy. The Android 4.0.4 browser really didn't perform well and made writing fluid apps tricky. (There were some hacks; but it will suddenly stall.) And 4.4 is the first version of Android to have threads so you were using the UI thread for everything (although I think the design of the threading API promotes good design). As of Android 5.0 the browser updates independently of the OS. And latest versions of Chrome perform really well; there's no trouble.

      Similarly Apple were slow in providing a decent javascript engine. (The app would run faster in Safari than as a standalone app because Nitro was only available in Safari.)

      But I'm doing polynomials with hundreds of terms and the performance is fine on a modern OS. And Animation is great if you use the new APIs.

  12. aaaa
    Unhappy

    Build systems?

    What commercial software company would dare allow a developer machine to create a customer build? Requiring a 'pristine' build environment is software engineering 101. To install this Trojan Xcode they had to turn gatekeeper off. No QA manager - no programmer worth employing does this in a build env. I can pardon it (only just) on a random dev laptop - but not a build machine. Please publish this list of companies far and wide - so we all know to avoid anything they ever produce ever again. Have we learned nothing about software engineering in the past 35 years?

  13. OliverJ

    4.000 affected applications?

    I would take this information cum grano salis. FireEye may be trying to milk this incident to promote their Mobile Security solutions. If you check their web site for the list of these 4.000 apps you find that you have to be a customer to access this information.

    Also, "that some 4,000 apps were hosed indicates that a lot of developers were sucked into what must have been a very well-executed attack by highly capable malefactors". Or, and I find this more likely, that many app-programmers (in China and elsewhere) are incredibly lazy and gullible. Or stupid. Or all of the above.

  14. Anonymous Coward
    Anonymous Coward

    Ken Thompson's "Trusting Trust" escapes the textbook

    Kind of beautiful - and a refreshing change from buffer overruns on Adobe products!

    1. Anonymous Coward
      Anonymous Coward

      Re: Ken Thompson's "Trusting Trust" escapes the textbook

      Not really. For this to be a repeat of that, they'd have to break into Apple, grab the LLVM source, insert a backdoor that automatically replicates itself in unmodified LLVM source, recompile the unmodified LLVM source with this version of compiler, and finally replace all LLVM binaries that might be used to generated updated versions of LLVM so the backdoor propagates forever.

      All this attack did was download Xcode from Apple like anyone in the world can do, add a little something "extra" (presumably in an object file or library that every app it generates would include, ala crt1.o) and make that available for download. Developers then had to download from a non-Apple source, choose to ignore certificate warnings, build apps with this version of Xcode, not test them well enough to notice the pop ups asking for iCloud credentials, and finally submit them to Apple. Users had to update their apps as normally, and not question when the app popped up a dialog asking for iCloud credentials. Only then was there any harm, and only if you used iCloud (I don't, I do my backups on my laptop, though something like this isn't the reason why)

      I see zero similarly with "On Trusting Trust" other than it sort of involved a compiler.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ken Thompson's "Trusting Trust" escapes the textbook

        Granted, it's only the "lite version", but I haven't noticed another toolchain attack like this, where examination of the developers' sources or even their souls reveals no evil (beyond being casual/cheapskate enough to grab tools from secondary sources).

        And you're surely right that it's just forcibly linking a module, rather than more subtly augmenting the code. That takes off some of the shine.

  15. sleepy

    It's the devs who've been used to vault the garden wall

    This is malware on devs' OS X build machines. It gives the hackers access to whatever the devs had access to. If you let the app see your location, then the hackers could potentially see it too. The worst anyone's been able to think of is that a user might have copied and pasted a password, and the app (and therefore the hackers) would be able to see the password on the clipboard (but wouldn't actually know it was a password until they tried it).

    Why do people use duckduckgo instead of Google? It is always possible for apps to be creepy. Any dev can write the same creepy hackery into his app himself. Downloading any app is to that extent an act of trust. Apple can reasonably claim that their security measures have not been compromised on this occasion. These devs unwittingly made their apps creepy. It's the devs who have been compromised, and proved themselves untrustworthy. Having downloaded from an untrusted source, they should never have bypassed checking the signing of the Xcode package. But they did.

  16. DerekCurrie
    FAIL

    It's China, Stupid

    "The more rigorous testing regime required before an iOS app can be published has always been considered to be the reason for this difference, but in this case it seems to have fallen short."

    Every Apple developer knows the two, and only two, sources for downloading Xcode. Any developer with any sense of software security knows that WAREZ versions of anything are entirely capable of being malware vectors. That is nothing new. Back in early 2009, WAREZ versions of Mac apps were implicated in a Mac botnet of hundreds of thousands (as many as 600,000) Macs.

    The way it should have gone down was:

    - Developers in China inform Apple that The Great Firewall Of China screws them over every day with crap for bandwidth.

    - Apple should have responded by providing software servers inside China, subverting any motivation to download WAREZ versions of Xcode.

    - The End.

    That didn't happen then; At least it's happened now. Apple meanwhile has to thrash through the iOS store to find every app infected with XcodeGhost malware. It's going to take awhile. This new number of 4,000 apps is mind-boggling.

    Should this incident be compared to the rat's nest of security holes and malware that are the default of all things Android? OF COURSE NOT. Try not to look so desperate to bash Apple, please.

  17. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like