Genie out of the bottle

Last week Palto Alto released an article about an attack that had taken place with several Chinese developers. The application these developers used to create their Apps had been infected by what is now referred to as XCodeGhost malware. The developers themselves were unaware that malicious code was added to their Apps. Even Apple, which is known for its rigorous pre-launch testing, was unable to detect the malware and thus allowed the release of several hundred infected Apps affecting millions of users.

Why did the developers use an infected program?

The developers used a copy of the official Apple development application called XCode. It is quite a large program, approx 3.5Gb in size. Downloading this tool from Apple repositories can be quite slow and cumbersome from China, causing some developers to download an in-country unofficial copy. More specifically a XCodeGhost infected version hosted at the fileshareing service of Baidu.

What does XCodeGhost do?

Once someone installs and launches an infected App, the malware inside the App will retrieve several (less sensitive) pieces of information:

  • Name of the infected app
  • App bundle identifier
  • Device’s name and type
  • Network information
  • Device’s “identifierForVendor”

Though yet to be confirmed there have been claims that the affected Apps are attempting to request App users to provide sensitive information like their Apple ID credentials.

What has been done so far?

Baidu has removed the malicious version of XCode from its filesharing service, Apple is removing known affected Apps from its AppStore and Amazon has taken down the known Command & Control servers. 

What to do as the owner of an MDM?

It’s time to make good use of your Mobile Device Management deployment and have it earn some its investment back. Some Mobile Device Management platforms come with an App Blacklist. I would suggest to contact your MDM vendor and ask them to confirm if they have added the apps affected.

If you do not own such a subscription you can still use MDM to search/list all the Apps running in your mobile estate. Please be aware that not all version of the Apps are infected.

Though investigation is still ongoing it would be wise for your affected users to at least:

  • Remove or update the affected App(s);
  • Change their iCloud password and the password for any other website or application they use it for;
  • Be wary of any suspicious emails, notifications or dialogue boxes that ask for information or passwords.

Don’t forget to report your efforts in your security reporting to management to remind them why you asked them to invest in MDM.

What to do as a developer?

As a developer or as a company that uses an development agency you should ensure that:

  • Programs and libraries  are downloaded from official sources;
  • Third-party libraries are purchased, downloaded and used from renowned providers;
  • Source code and finalized products are protected against unauthorized changes.
  • Access to the source code and development environment is only granted to persons who really need it *1.
  • Only download apps from official Stores and identified developers and enforce this option via system preferences;
  • Install anti-malware: yes, even OSX can be infected by malware; and no, a good solution does not impact your Mac’s performance;
  • Though it has its own set of risks, prefer Hybrid (web) over Native code development
  • Check the integrity of your development tools and libraries prior to releasing a new version of an App. Writing scripts that validate code signatures and perform hash comparisons are key.

*1 Even though you may trust the persons that have access, and that they will not meddle with your code does not mean his or her machine can be infected with something that will discover and alter your code.

What to do as a mobile app security tester?

The key to this discovery is confirming if an App says what it does on the tin.

Using Static Application Security Testing (SAST) and especially Dynamic Application Security Testing (DAST) will not only prevent bad coding. Especially DAST should be able to tell you with which remote systems the App communicates.

More information

For more information, the list of apps affected and the sources used for this article:

  • Palto Alto [src]
  • Lookout Blog [src]