About Xcode Ghost

A few days ago, Chinese iOS developers discovered a new iOS malware, dubbed “Xcode Ghost”.

Xcode Ghost is embedded into repackaged versions of the Xcode installer (the developer software for building iOS Apps), posted by the attackers on various iOS / OS X development forum. Developers would then download this tampered version instead of the official Xcode package from Apple. This seems to be the case especially in China as downloading the official Xcode package requires using Apple’s Mac App Store, which is slow in China.

Once installed, this modified version of Xcode injects malicious code into the developer’s (legitimate) iOS Apps. This code is capable of receiving commands from the attacker’s control server to perform various actions including:

  • Prompt a fake alert dialog to phish user credentials (such as the iCloud password).
  • Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.

Because the malicious version of Xcode has not been cryptographically signed by Apple, developers had to bypass warnings from their OS X computer (specifically Gatekeeper) in order to install Xcode Ghost.

It has now surfaced that Apps on the App Store have been infected by the malware, which is also confirmed by our own scanning of the US and Chinese App Stores.

If your App has been infected, we recommend investigating all Xcode instances used to build iOS Apps (build servers, developers’ computers, etc.) and re-install Xcode from scratch, using the official Apple installer (available at https://developer.apple.com). For Apps already available on the App Store, re-build the App with a clean instance of Xcode and deploy an update to the store.

Alban Diquet - 21 Sep 2015 at 13:02