iOS is safer than Android when it comes to malware attacks, but that doesn’t mean hackers aren’t successfully targeting the iPhone and iPad with malicious programs supposed to steal sensitive data. Usually, iOS malware reports explain that jailbroken devices are at risk, especially in Asian countries and that only a tiny fraction of Apple’s massive number of customers is affected. However, that’s not the case anymore.
A substantial security threat called XcodeGhost managed to fool App Store security and sneak into the App Store inside real App Store apps potentially affecting hundreds of millions of iPhone and iPad users on both stock and jailbroken devices. The one thing that’s common with recent iOS hacks is that the threat comes from China.
Rather than trying to have malware apps accepted by Apple’s strict App Store approval team, smart hackers from China targeted the middleman instead. The hackers included malicious code in a customized version of Xcode – the tool developers use to package iOS apps – and made it available to developers in China. These unsuspecting devs went for it, choosing to download the unofficial Xcode release from untrusted servers in China, which were faster than Apple’s official download.
The developers then used the fake Xcode to work on their apps, including popular chat client WeChat that has some 600 million users. More than 50 apps containing XcodeGhost were accepted in the App Store.
The hack was discovered by security research company Palo Alto Networks, who worked with Apple on the issue. The company already told Reuters that it has removed the malicious apps from the App Store, and it’s working with developers to mitigate the problem.
“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple said. “We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”
The company did not say how many apps it had to remove, or how many users might be at risk.
WeChat confirmed it updated its apps to remove the malicious code. However, any iOS user who still has one of the apps installed (see this list) is at risk. What they should do is to remove the apps immediately, and then change Apple ID passwords and any, other login details they suspect might have been compromised. Developers, meanwhile, have to make sure they have the latest version of Xcode on their computers, and that it’s coming from Apple servers.
It’s not clear what the hackers who manipulated Xcode to add malware to genuine App Store apps are doing with the resulting malware. However, the code lets them issue fake prompts on the screen of iOS devices that could fool users into inserting Apple ID credentials. They could also read and write data from the clipboard (that means they could steal pasted passwords) and exploit other vulnerabilities in iOS.