Apple XcodeGhost Malware: List of iOS Apps You Should Delete Immediately

[Audrey McNeil <audrey () riskbasedsecurity com>]

https://www.hackread.com/apple-xcodeghost-malware-ios-apps/

Apple’s App Store in China has apparently been penetrated by Hackers which
experts say has placed the devices of hundreds of millions of people at
risk.

The malware named XcodeGhost, believed to be a malicious and modified
version of Apple‘s very own development software, is said to have
compromised a significant number of applications.

Apple Inc. said on Sunday that it was in the process of cleaning up its iOS
App Store to remove the malicious iPhone and iPad programs which have been
identified as having the XcodeGhost malware embedded into them. It is
believed that the number of Apps infected runs into the hundreds making
this the first large-scale attack on the software platform.

The security company, Palo Alto Networks, which is investigating the breach
said in a blog post:

“BASED ON THIS NEW INFORMATION, WE BELIEVE XCODEGHOST IS A VERY HARMFUL AND
DANGEROUS MALWARE THAT HAS BYPASSED APPLE’S CODE REVIEW AND MADE
UNPRECEDENTED ATTACKS ON THE IOS ECOSYSTEM.”

They also warned:

“THE TECHNIQUES USED IN THIS ATTACK COULD BE ADOPTED BY CRIMINAL AND
ESPIONAGE FOCUSED GROUPS TO GAIN ACCESS TO IOS DEVICES.”

Apple has yet to reveal exactly how many Apps have been compromised by this
malware and when asked directly, they declined to answer. A Chinese
security firm Qinhoo360 Technology Co did, however, announce in its blog
that it had uncovered up to 344 apps which have thus far been compromised.

How Big a Deal Is It?

According to Palo Alto Networks Director of Threat Intelligence Ryan Olson,
it is a “pretty big deal” because it proves that Apple’s App Store can be
compromised on a large scale by virtue of developers being hacked and
having their machines infected. He also believes that other attackers will,
in all probability, attempt to copy this approach which has proved to be
very hard to defend against. It is his view that “developers are now a huge
target”.

Although the Chinese App Store was the target and almost all the Apps
affected are used in China, it is not the case for all of them. The apps
affected include Tencent Holdings Ltd’s, We Chat, Didi Kuaidi which is a
car-hailing app and CamCard which is a business card scanner available for
use outside of China.

Targeting Developers

Alibaba, the giant e-commerce firm, had initially flagged up the malware
when it was discovered by its researchers. They found that hackers had
uploaded a number of altered versions of Xcode which is a tool used to
build iOS Apps onto a cloud storage service in China.

The hackers then posted links to the software on forums which are common
with Chinese developers. Palo Alto networks stated:

“In China – and in other places around the world – sometimes network speeds
are very slow when downloading large files from Apple’s servers,”

“As the standard Xcode installer is nearly three gigabytes, some Chinese
developers choose to download the package from other sources.”

The posting of the links to the altered version of the Xcode on developer
forums shows that Developers were indeed the principle target of the
hackers.

What About The Gatekeeper?

Apple’s security tool, Gatekeeper, which is specifically designed to warn
users of any unauthorised programs and stop them running appears to have
been disabled by the developers – this allowed them to continue to create
iOS apps using the XcodeGhost malware.

What Does this Mean For Users?

All iOS Apps infected with the XcodeGhost malware will collect information
about the unsuspecting users device, encrypt and upload that data to
command and control servers which are run by the hackers. This is done
through HTTP Protocol. According to Palo Alto Networks, the information
collected are:

Network type
Device names and type
Infected Apps name
Current time
Devices UUID
System’s language and country
The apps Bundle identifier

It will then receive the following commands according to Palo alto Networks:

Phish user credentials
Read and write data to clipboard
Hijack specific URLs allowing for vulnerability exploitation.

What Is Being Done?

Apple has issued a statement regarding their plan of action to date:

“We’ve removed the apps from the App Store that we know have been created
with this counterfeit software. We are working with the developers to make
sure they’re using the proper version of Xcode to rebuild their apps.”

To protect oneself from the XcodeGhost malware, users need to immediately
uninstall any infected Apps from the list which can be found here.
Alternatively they can update to the latest version which has had the
malware removed. Other things which all users should do immediately change
your iCloud password as well as any passwords which have been inputted on
your device.

If you are a developer, you should install the official version of Xcode 7
& or Xcode 7.1 beta – you can do this from here and always avoid
downloading the software from unofficial sources.

Despite the discovery of the malware in Apples App store being
unprecedented and embarrassing to say the least and despite the exposure
potentially encouraging other hackers to copy; it is believed that this
breach will not shake consumer confidence and experts such as Wee Teck Loo,
who is head of consumer electronics at market research firm Euromonitor
International, do not forecast any major losses for Apple whether that be
revenue or sales.

List of apps that should be deleted immediately:

WeChat
Didi Chuxing
Angry Birds 2
NetEase
Micro Channel
IFlyTek input
Railway 12306
The Kitchen
Card Safe
CITIC Bank move card space
China Unicom Mobile Office
High German map
Jane book
Eyes Wide
Lifesmart
Mara Mara
Medicine to force
Himalayan
Pocket billing
Flush
Quick asked the doctor
Lazy weekend
Microblogging camera
Watercress reading
CamScanner
CamCard
SegmentFault
Stocks open class
Hot stock market
Three new board
The driver drops
OPlayer
Mercury
WinZip
Musical.ly
PDFReader
Perfect365
PDFReader Free
WhiteTile
IHexin
WinZip Standard
MoreLikers2
CamScanner Lite
MobileTicket
iVMS-4500
OPlayer Lite
QYER
golfsense
Ting
Golfsensehd
Wallpapers10000
CSMBP-AppStore
MSL108
TinyDeal.com
snapgrab copy
iOBD2
PocketScanner
CuteCUT
AmHexinForPad
SuperJewelsQuest2
air2
InstaFollower
CamScanner Pro
baba
WeLoop
DataMonitor
MSL070
nice dev
immtdchs
OPlayer
FlappyCircle
BiaoQingBao
SaveSnap
Guitar Master
jin
WinZip Sector
Quick Save

If there are other infected apps we will let you know. Stay tuned..

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!