This is easily the largest App Store breach in history. First, of course, is the fact that these infected apps made it into the App Store.
There are a few very interesting aspects to this new malware. It’s hard to know at this point whether this is the real author or real source code, and is a complete mystery as to why someone who had done such a thing would own up to it so quickly. In a bizarre twist, Xiao revealed on Friday night that the apparent author of XcodeGhost had published the source code, and an apology, on GitHub! However, by Friday afternoon, he revealed further information that suggested the malware would be capable of more malicious things, like phishing for passwords. Initially, Xiao stated that these infected apps would collect some basic information about the device and upload it to one of several sites. A version 6.2.6 has been released, which is not infected, although there is no mention of this in the WeChat change history on the App Store.) (Version 6.2.5 of WeChat is known to be infected. Others, however, have a more global appeal, such as the WeChat app. Most of these apps are Chinese, and not available to most of the rest of the world. A fake amework was added to the tampered copy of Xcode in such a way that it is loaded automatically, and this framework is also added to all the infected apps.Īs of Friday, Xiao had identified 39 apps known to have been created by an XcodeGhost-infected copy of Xcode. The malicious copy of Xcode appears to contain an exploit of exactly that issue.
Malwarebytes anti malware for mac 1.2.5.x code#
If a hacker can substitute a fake code library at that location, the program will load it in preference to, or in addition to, the real code library. In some cases, the first place they look for this code is not where the code is found normally. Wardle discussed how some apps will dynamically load libraries of code that they look for in one of multiple locations. This appears to be a form of the dynamic library hijacking attack that Patrick Wardle wrote a paper on back in March. The malicious changes to Xcode, however, caused each of these apps to be infected with the same malicious code. The app was downloaded by Chinese developers and used to develop an unknown number of apps. So it’s a common thing for Chinese developers to get Xcode from third-party sources, distributed from servers within China.Īpparently, someone uploaded a tampered copy of Xcode to a Chinese file-sharing site called Baidu.Īlthough Baidu has now removed the hacked Xcode files from their servers, the damage has been done. It seems that, in China, downloading Xcode from Apple’s servers takes a very long time.
Malwarebytes anti malware for mac 1.2.5.x mac os x#
In this case, the compiler in question is Xcode, Apple’s own development environment, used for creating iOS apps, Mac OS X apps, Safari extensions and more. The malware uses a method of attack that is new to the Mac world: infecting a compiler. New reports show that, by some calculations, nearly 3,500 apps were infected, but that they didn’t actually have the capability to phish passwords as-is.) (Update, : It turns out that this is both worse and better than originally thought. Late last week, Claud Xiao, a researcher at Palo Alto Networks, announced the discovery of new malware that he calls XcodeGhost.Īs the story has developed over the weekend, it turns out that this malware has infected at least 39 known iOS apps as of early this morning, all of which made it into the App Store.