App Store malware attack compromises hundreds of titles
There’s a short list of advice any smartphone user should heed if he or she wants to keep their device as safe as possible from nasty mobile malware, and right up there at the top is “get your apps from trustworthy sources.” While Android users have the freedom to turn to the distributor of their choice, making that decision very important, things are much more straightforward at iOS (jailbreakers notwithstanding), and for Apple users there’s hardly even a question here: you get your apps from Apple’s App Store. As such, users have to place a lot of faith in Apple that it’s keeping the App Store free from malicious software, and by and large, that’s been true. But in a recent turn of events, attackers have not only managed to get some compromised apps into the App Store, but were able to affect dozens of titles, across a number developers.
The problem is in how all these apps were put together. Normally devs work with a copy of Apple’s Xcode IDE that comes right from Apple itself, but for this attack, a counterfeit copy of Xcode was made available in China. Unbeknownst to them, devs who were using the fake Xcode inserted this malware – dubbed XcodeGhost – into their finished apps.
XcodeGhost has the potential to craft phony dialogue boxes, opening the door for phishing attacks, as well as to interfere with the iOS clipboard (gathering passwords) and how URLs are accessed.
After being alerted to XcodeGhost’s presence, Apple started scanning for and removing compromised apps from the App Store – publicly available lists have named nearly 40 of them, and other counts put the total up above 300. One of those more popular titles is WeChat, but you’ll want to check out the full list through the source links below.
Presumably, affected apps will quickly be rebuilt using clean copies of Xcode and return to the App Store shortly.