Despite infected Apple iOS apps being banned from the App Store, the threat of the XcodeGhost malware has maintained persistence—and has indeed evolved to become even more dangerous.
Just over a month ago, iPhone and iPad users were warned that XcodeGhost was lurking in malicious apps in the Chinese App Store; Apple quickly reacted, taking down infected apps from the App Store and releasing new security features to stop malicious activities.
However, according to FireEye, XcodeGhost is now making inroads to US enterprises whose employees use iPhones: Its botnet is still partially active, and a variant FireEye called XcodeGhost S reveals that more advanced samples went undetected. A total of 210 enterprises have been documented with XcodeGhost-infected applications running inside their networks, generating more than 28,000 attempts to connect to the XcodeGhost command and control (CnC) servers—which, while not under attacker control, are vulnerable to hijacking by threat actors.
XcodeGhost CnC traffic can be hijacked to distribute apps outside the App Store, force-browse to a URL, aggressively promote any app in the App Store by launching the download page directly or drive pop-up phishing windows.
“Although most vendors have already updated their apps on App Store… many users are actively using older, infected versions of various apps in the field,” explained FireEye, in an analysis. “Until these employees update their devices and apps, they are still vulnerable to potential hijacking of the XcodeGhost CnC traffic—particularly when outside their corporate networks.”
The infected iPhones are running iOS 6 to 9—but nearly 70% of the victims detected remain on older iOS versions.
However, Tod Beardsley, principal security research manager at Rapid7, told Infosecurity via email that insecure development processes are also to blame for the infections, and will continue to pose a significant challenge to Apple's app-vetting process.
“While it's troubling to see trojaned applications continue to pop up on Apple's App Store, it's important to remember that XCodeGhost (and its variants) still rely on software developers to break at least two rules when it comes to installing developer tools,” he explained. “First, developers must seek out an unofficial source for XCode, the development platform for iOS, and second, they must affirmatively bypass Gatekeeper, the anti-malware system that is designed to prevent installation of unsigned application binaries.”
He added, “Apple does control entry into the Apple Developer Program. It would be entirely reasonable for Apple to kick out app developers who go out of their way to create insecure development environments, once these developers have been found to be producing XCodeGhost-infected apps.”
Some enterprises have taken steps to block the XcodeGhost DNS query within their network to cut off the communication between employees’ iPhones and the attackers’ CnC servers to protect them from being hijacked. However, user action is still needed, FireEye noted.