App Store malware attack compromises hundreds of titles

There’s a short list of advice any smartphone user should heed if he or she wants to keep their device as safe as possible from nasty mobile malware, and right up there at the top is “get your apps from trustworthy sources.” While Android users have the freedom to turn to the distributor of their choice, making that decision very important, things are much more straightforward at iOS (jailbreakers notwithstanding), and for Apple users there’s hardly even a question here: you get your apps from Apple’s App Store. As such, users have to place a lot of faith in Apple that it’s keeping the App Store free from malicious software, and by and large, that’s been true. But in a recent turn of events, attackers have not only managed to get some compromised apps into the App Store, but were able to affect dozens of titles, across a number developers.

The problem is in how all these apps were put together. Normally devs work with a copy of Apple’s Xcode IDE that comes right from Apple itself, but for this attack, a counterfeit copy of Xcode was made available in China. Unbeknownst to them, devs who were using the fake Xcode inserted this malware – dubbed XcodeGhost – into their finished apps.

XcodeGhost has the potential to craft phony dialogue boxes, opening the door for phishing attacks, as well as to interfere with the iOS clipboard (gathering passwords) and how URLs are accessed.

After being alerted to XcodeGhost’s presence, Apple started scanning for and removing compromised apps from the App Store – publicly available lists have named nearly 40 of them, and other counts put the total up above 300. One of those more popular titles is WeChat, but you’ll want to check out the full list through the source links below.

Presumably, affected apps will quickly be rebuilt using clean copies of Xcode and return to the App Store shortly.

Source: Palo Alto Networks 1,2, Reuters

Discuss This Post

Share This Post

Watch the Latest Pocketnow Videos

About The Author
Stephen Schenck
Stephen has been writing about electronics since 2008, which only serves to frustrate him that he waited so long to combine his love of gadgets and his degree in writing. In his spare time, he collects console and arcade game hardware, is a motorcycle enthusiast, and enjoys trapping blue crabs. Stephen's first mobile device was a 624 MHz Dell Axim X30, which he's convinced is still a viable platform. Stephen longs for a market where phones are sold independently of service, and bandwidth is cheap and plentiful; he's not holding his breath. In the meantime, he devours smartphone news and tries to sort out the juicy bits Read more about Stephen Schenck!