XCodeGhost malware: What you need to know

Update 1: Apple has issued the following to statement to Reuters:

"We've removed the apps from the App Store that we know have been created with this counterfeit software," Apple spokeswoman Christine Monaghan said in an email. "We are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps."

Update 2: Palo Alto Research has posted a list of infected apps.

Xcode, Apple's integrated development environment for making OS X and iOS apps, is 3.59 GB download. Because that download can take a long time in countries like China, some developers ihave been searching for it on other, non-Apple sites. The versions of Xcode they find, of course, have been infected with malware and compile apps that are just as infected. Researchers at Palo Alto Networks have dubbed this infected compiler and the resulting malware XcodeGhost.

XcodeGhost's primary behavior in infected iOS apps is to collect information on the devices and upload that data to command and control (C2) servers. The malware has exposed a very interesting attack vector, targeting the compilers used to create legitimate Apps. This technique could also be adopted to attack enterprise iOS apps or OS X apps in much more dangerous ways.

Apple will no doubt continue to harden Xcode and the App Store to minimize the chances of malware getting into the chain but the bottom line is developers, even in China, absolutely should not download Apple apps, especially Xcode, from anywhere but Apple. It doesn't just put them at extreme risk, it puts all of us at extreme risk.

What's worse is that Apple provides technologies like Gatekeeper expressly to prevent non-App Store and/or unsigned version of programs, including Xcode, from being installed. Those protections have to be deliberately disabled for something like XcodeGhost to successfully install.

Additionally, although Apple's code review for App Store submissions is very strict, some applications are never reviewed by Apple. If the iOS app is used by an enterprise internally, for example, it will be distributed in-house and won't go through the App Store.In the same example, an OS X app can also be infected, and lots of OS X apps are directly distributed via the Internet other than App Stores.

Apple should and no doubt will continue to make official downloads easier and exploits harder to deliver but there will always be new hurdles and new mechanisms. The only realistic defense is vigilance and responsibility by everyone involved.

Only download directly from Apple, and only from developers you absolutely trust.

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.