iOS

New XcodeGhost Malware Variation Discovered By Symantec

Wednesday, November 4, 2015

A new XcodeGhost malware variant has been discovered by the security team at Symantec. It was found in apps created with unofficial downloads of Xcode, which are hosted regionally, and can be attractive to developers because of the faster download speeds available when compared to the official version (due to the large file-size of Xcode).

When these unverified versions of Xcode are downloaded from unofficial sites, they can include the malicious code which can be inserted into any application developed with these versions, putting app users at risk.

The malware was originally identified by Chinese iOS developers which disclosed the new OS X and iOS malware on Sina Weibo. Alibaba researchers then posted the first analysis report on the malware, giving it the name XcodeGhost. The malicious code is located in a Mach-O object file that was included into a number of versions of unofficial Xcode installers.

By the end of September, Palo Alto Networks had identified 39 apps that had been infected with the malware, including popular apps such as WeChat or Didi. The company provides a very effective technical analysis of the malware in a blog post.

This latest report (November 3) by Symantec is a strong indication that the malware threat is not going away any time soon. As a number of security vendors have pointed out, the only way a developer can protect their apps from the malware is to use the official Xcode download.

Of course, iOS is not alone in the malware fight as, in mid October, AdaptiveMobile reported on multiple new variants of the AndroidOS.SmsThief malware which is disguised as photo or document viewer apps, as well as repackaged into Android applications. Antivirus vendors have identified these variants under the names Android.Trojan.SmsSpy and Trojan.Android/AutoSMS.

The AndroidOS.SmsThief threat begins from an infected phone, where an SMS is sent to an uninfected device, informing the user that their friend/contact has attempted to share a photograph, document or file. When the user then clicks on the link in the text message they are directed to download an app from a malicious but seemingly legitimate source.

Having installed the malware to their device and given permission to access contacts and messages, the program allows the primary attacker to monitor any and all messages sent from the infected device, potentially providing access to sensitive information such as personal and financial data while enabling the malware to spread to a wider network of contacts.