Incautious iOS developers were duped into seeding their work with malformed code via bootleg Xcode toolset
Hackers
pulled off an unprecedented feat, lulling unwitting developers into
loading thousands of iOS apps with adware, security experts said Friday.
"This
is the first instance that I can recall," said Raymond Wei, senior
director of mobile development at FireEye, a Milpitas, Calif. network
security firm, when asked whether a top-tier app system had ever been
infected through first-party development tools.
Wei was referring to
the hacking campaign, dubbed "XcodeGhost" by a Chinese researcher, that
took a very unusual approach to getting malicious code into iOS apps
distributed via Apple's App Store. Rather than inject attack code
into a single app, then try to get that past Apple's automated and
human reviewers, the XcodeGhost hackers instead infected Xcode, Apple's
integrated suite of software development tools for crafting apps and
applications for iOS and OS X.
Xcode is available free of charge from the Cupertino, Calif. company's Mac App Store.
But the XcodeGhost gang did not infect that version of the development suite.
Instead,
it modified a legitimate copy, seeded the counterfeit on a popular
Chinese file-sharing service and promoted its fake-Xcode as not only the
real deal, but available much faster from within China because of the
service's speed advantage over trans-Pacific links to the official Apple
site.
Chinese iOS developers took the bait -- hook, line and sinker.
But by using the infected Xcode they unknowingly infected the apps they
created with the bootleg.
When asked the same question about
XcodeGhost's uniqueness, Domingo Guerra, co-founder and president of
Appthority, a San Francisco-based mobile risk management vendor, agreed
with Wei. However, Guerra pointed to something akin to XcodeGhost. "A
year and a half ago, we saw a vulnerability in an ad network's SDK
[software development kit]," he said without naming names. The
vulnerability was exploited to craft ads that answered to hackers'
command-and-control network.
Apple was not able to detect that the
apps were, in fact, infected by XcodeGhost. "The malformed code was
injected by the compiler," said Wei. "There was no baseline [hash] for
Apple to compare, so it couldn't know that they were infected."
The
number of apps afflicted with XcodeGhost have been in dispute. Wei said
that FireEye had identified more than 4,000 before Apple began pulling
them earlier this week. Guerra, on the other hand, cited a very-specific
477 that Appthority found on the App Store. Other security researchers
and vendors tossed out numbers of all kinds.
Apple has not disclosed the number of affected apps, but has listed the top 25 most popular apps that were infected, and claimed that off that list, "The number of impacted users drops significantly."
Among
the top infected iOS apps were WeChat, Didi Taxi, Baidu Music, Angry
Bird 2 - Yifeng Li's Favorite, and Flush. The apps are most popular in
China.
But iOS users outside of the People's Republic were also
affected, contended both Guerra and Wei. While some iOS apps are limited
to specific markets, most are not, and thus appear on Apple's numerous
e-stores across the globe. Guerra said that Appthority found evidence of
malformed apps downloaded by users around the world; Wei added that
U.S. users were among them.
The infected apps' actions were also reported with a wide variety of claims.
Guerra and Wei said that their investigations concluded that the apps were behaving like adware, a category named for spewing unwanted and unauthorized advertisements.
"It
collects all kinds of device information and sends it to a remote
server," wrote Andreas Weinlein, a research and development engineer at
Appthority, in a post to his firm's blog this week. "In addition, the
response to those requests are able to trigger a standard iOS alert and
able to open a given URL or show the App Store page of a given app."
The
URL provided by XcodeGhost serves up ads, said Guerra. "It's very
similar to aggressive adware," he noted, theorizing that the XcodeGhost
group was financially motivated, and figured out how to monetize a large
number of other developers' downloads.
Things could have been worse,
Guerra and Wei agreed, if the hackers had baked more serious malware
into the bogus Xcode. "There were rumors that it can steal iCloud
passwords, but the original code [in XcodeGhost] does not have this
ability," said Wei, who speculated that other criminals may have ridden
XcodeGhost's coattails by modifying the counterfeit Xcode themselves to
boost the attack code's functionality.
Apple began yanking the
XcodeGhost-infected apps earlier in the week, and urged developers to
retrieve the Xcode development toolkit from Apple's own servers, not
elsewhere. The company also published instructions for verifying that a
copy of Xcode is legitimate on its developer website.
Apple also took
the unusual step of going public on the threat, including a
Q&A-formatted post on its China website. (Apple did not replicate
that post on its websites for other markets, however.)
"We have
removed the apps from the App Store that we know have been created with
this counterfeit software and are blocking submissions of new apps that
contain this malware from entering the App Store," Apple stated on the
post.
Apple blamed developers for the infections, saying that they
had not only downloaded Xcode from an unofficial -- and by implication,
untrusted -- source, but had to have turned off Gatekeeper for the
infection to make it into their apps.
Gatekeeper is a feature in OS X
-- the development platform for iOS as well as Mac apps -- that by
default allows users to install only software downloaded from the Mac
App Store or those digitally signed by a registered developer, including
Apple. Gatekeeper debuted in 2012's Mountain Lion, but is often
disabled by advanced users so that they can download third-party
software not distributed through the Mac App Store.
Wei echoed Apple
as he chastised the developers who grabbed the fake Xcode without
checking its validity. "Developers have the responsibility to confirm
that [Xcode] came from Apple and was unchanged," Wei said. "They should
have used caution, and confirmed the hash value of the download."
Guerra
warned that sneaky strategies like XcodeGhost are only part of a bigger
problem. "This is a part of the trend that will only increase," he
said. "As more and more users are doing things on mobile, attackers are
finding more ways to infiltrate into mobile."
- ۹۴/۰۷/۰۵