Thousands of iOS apps infected by XcodeGhost

Researchers from FireEye found over 4000 trojanized apps on the App Store

The impact of iOS app developers unknowingly using a rogue version of the Xcode development tool is turning out to be greater than initially thought: early reports listed just 39 apps that had been trojanized with the tool, but security researchers have since identified thousands more.

On Friday, security research firm Palo Alto Networks reported that 39 apps found in the App Store had been compromised after their developers -- most of them located in China -- used a rogue version of Xcode that had been distributed on forums. Xcode is a development tool for iOS and OS X apps provided by Apple.

The malicious Xcode version, which has been dubbed XcodeGhost by security researchers, added hidden functionality to any application compiled with it. Those apps were then uploaded by unknowing developers to the official App Store, bypassing one of the main malware defenses of the iOS ecosystem.

On Tuesday, mobile security firm Appthority reported that it had found 476 apps infected by XcodeGhost among those used by its enterprise customers.

"We had a closer look at the data and were able to track the start of the infection to April 2015 with a significant uptick in infections over this last month of September," the company's research team said in a blog post.

The hidden code added by XcodeGhost to applications collects identifying information about devices they're installed on and can open URLs. The rogue tool's creators could have added more harmful functionality, but they apparently chose not to, at least for now.

"Given our risk analysis results of infected apps regarding their actual behavior, we feel that 'AdWare' might be a more appropriate classification rather than malicious 'malware'," the Appthority researchers said,

Also Tuesday, researchers from security firm FireEye revealed that the real number of iOS apps trojanized by XcodeGhost is not in the tens or hundreds, but in the thousands. The company has identified over 4,000 infected apps so far on the App Store.

While the command-and-control servers used by XcodeGhost have been taken down, the malicious apps still try to connect to them using unencrypted HTTP connections, the FireEye researchers said in a blog post. Such HTTP sessions are vulnerable to hijacking by other attackers, it said.

Since security companies keep identifying more infected apps, it's hard for users to keep track of them manually or even to rely on a single product to detect them. All they can do is hope that Apple is working to remove the apps from the App Store and notify users.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?