When Apple found out XcodeGhost had infected more than 4,000 applications in its Apple Store recently, the company took immediate actions to identify the infected apps and remove them from its App Store. Apple then released a set of new security features to stop this activity.
Xcode is Apple’s programming framework used by developers to create apps. XcodeGhost is a modified version of Xcode responsible for introducing malicious functionality into apps without the knowledge of developers. If an app was created using the compromised Xcode, it could be vulnerable.
What XcodeGhost Does?
XcodeGhost mines the data of legitimate apps. Some of the data it looks for include location and language info, network information, the “identifierForVendor” of the device and more. Once XcodeGhost has the information, it sends it to an external server.
If you have the infected apps, the best thing to do is to delete them from your device. Then make sure you have the latest version of iOS9 and change all your passwords.
New Apple Store Security Features
Apple’s new security features were supposed to be the end of that, but Fireye, a security company that provides automated threat protection against advanced cyber threats, recently announced its researchers detected a modified XcodeGhost that was being used by 210 enterprises.
The company said on its site, “FireEye researchers have found that, despite the quick response, the threat of XcodeGhost has maintained persistence and been modified.”
After four weeks of monitoring, the enterprises that were running XcodeGhost-infected applications generated more than 28,000 attempts to connect to the XcodeGhost Command and Control (CnC) servers. That averages to 133 attempts per enterprise.
Even though the CnC servers were not known to have been under the control of the attackers, FireEye explained they were vulnerable to potential hijacking.
Some of the key findings during this period were: XcodeGhost has entered into U.S. enterprises and is a persistent security risk; its botnet is still partially active; and a variant FireEye calls XcodeGhost S has revealed more advanced samples that went undetected. The new version or XcodeGhost S has features to infect iOS 9 and bypass static detection.
Apple is notoriously famous for having strict parameters in place for its App Store. But as the platform becomes more popular around the world, it won’t be long before it faces the same challenges as other operating systems. So you have to take matters into your own hands by proactively protecting your device.
Ghost Image via Shutterstock