Share This article

Malware authors have been targeting Android for years with all manner of nasty tricks, but we’re only now seeing the first large scale attack on Apple’s walled iOS garden. Researchers at Palo Alto Networks have uncovered a hive of iOS malware nestled within the very thing that was supposed to keep users safe — the App Store. Apple has already taken action to remove the threat, but the full effects of the “XcodeGhost” are not yet known.

Apple has managed to avoid any major malware scares all these years thanks in large part to the stringent manual review processes that all apps must go through. It can take weeks to get a minor update approved for release in the App Store, and there’s no simple way to install apps via an outside source. Unofficial app repositories are where virtually all the Android malware lurks, so iOS has avoided this problem.

It’s not clear how XcodeGhost evaded detection during the review process, but we do know where it came from. The malware authors modified and uploaded a version of Apple’s Xcode development software to the Baidu file sharing network, where it was downloaded by numerous Chinese app developers. Xcode is free, but it’s a huge download that can take a long time to complete in China. That’s led some developers to download it from faster unofficial sources. When the modified software was used to compile an app, it quietly inserted the XcodeGhost malware. Palo Alto Networks reported more than 50 infected apps, some of which are fairly popular. The malware-infused apps include WeChat, WinZip, and CamCard Scanner among others.

XcodeGhost is a serious piece of malware that gives its creators direct access to the device. When XcodeGhost is installed, it sends a bundle of data back to a command and control server in China including the device’s UUID, name of infected app, system language and country, network type, and more. Commands sent from the server to an infected device can produce fake system alert messages, which can be used to phish passwords. For example, a dialog box could list some esoteric error and ask the user to log back into their Apple account. A non-trivial number of people would probably do so without hesitation. The server can also load a URL on the device’s browser, potentially allowing for more exploits to be loaded. XcodeGhost can also read and write to the clipboard, which could provide additional personal information like passwords and banking details.

Apple says it has notified the affected developers, who are rebuilding their apps without the malware. As for users, the good news is that the sandboxed nature of iOS makes it easy to get rid of XcodeGhost. If you uninstall the app containing the malware, the malware goes with it. However, that means you need to know whether or not you have any of the apps identified by Palo Alto Networks. On Android, Google has a mechanism to remotely nuke a piece of malware on phones if it makes it through the Play Store review system, but Apple has never mentioned anything similar.

Maybe Apple has gotten complacent over the years, but iOS is a big target. This was bound to happen eventually. Users may simply need to be more wary going forward.