Explanation of the Xcode Ghost Incident and Recommended Fix

2015/09/22

In September 2015, a well-known blog in China blew the whistle on the possibility that malware may have been embedded in Apple Xcode IDE downloaded from unofficial sources. The problem had its root in China's unique Internet environment where developers must go through the Great FireWall in order to connect to official company sites. The firewall may however block the developers preventing them from downloading the IDE they need for development from the official websites. Developers may therefore download them from other third-party file download websites (e.g. Pan.baidu.com or Xunlei). Official sites generally provide integrity verification information (such as the file's hash value) for files they put up for download. Third-party file download sites however generally lack such integrity verification information putting developers at risk of downloading re-packaged products infected with malware.

In this incident, if the developer downloaded a re-packaged Xcode Ghost IDE then all apps developed using that IDE may have been infected with malicious backdoor code. The problem also affects all platforms that support Xcode (e.g. iOS, Mac OS X). If they run an app developed with Xcode Ghost containing malicious code, the system may upload confidential data (such as Timestamp, app, bundle, name, os, type, status, version, language, country, adfv, and other information) to the hacker's C&C server. When the app is compiled the program malicious advertising may also be embedded into the code. If the developer applies for listing following the official software development guidelines, as the official review cannot conduct an in-depth examination of the app this allows the malicious app to be successfully listed. The official app promotion platform then indirectly helps spread the malicious app as well.  

In Taiwan's app market, most vendors currently outsource their development projects to third-party app development studios. In this case, most vendors are unable to determine whether the third-party studio's working environment is safe or not, whether the IDE they use was downloaded from official sources, and whether there were any risks of vulnerabilities in the plug-ins they used during development. Though Apple AppStore claimed that infected apps have been removed from listing, there is probably still no way for the listing mechanism on the official app promotion platform to prevent this incident from happening again. Responsibility for ensuring app safety then falls on the vendors and developers.

A quick and simple way for developers to check their environment in response to this incident is as follows:

1. Use the shortcut "Command + Shift + G"

2. Enter the folder name "/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs" then click on the “Go to” button. 

3. If a folder named "Library" appears then this computer has the infected version of Xcode.

 

Recommendations for developers:

1. Remove the Xcode IDE downloaded from an unofficial source and only download the legitimate Xcode from Apple's official developer center.

2. Apps compiled using infected Xcode should be re-compiled using legitimate Xcode.

3. Explain the situation to Apple AppStore as soon as possible and re-list the app re-compiled with legitimate Xcode so that users can update their app.

Apps developed in China were the ones most affected by the Xcode Ghost incident. Individual users should check their device's app installation list.

If you have installed apps developed in China (apps known to be affected include Wechat, Didi Dache and Angry Birds 2) then there are the following suggestions:

1. If a repaired version is provided by the developer then update immediately.

2. If the developer has not provided a repaired version then remove the app for now.

3. Immediately change passwords such as iCloud to reduce the risk of information leaks.


Online lists of known infected apps:

Security firm published list of some of the iOS apps infected by XcodeGhost - including Angry Birds 2

Malware XcodeGhost Infects 39 iOS Apps, Including WeChat, Affecting Hundreds of Millions of Users