Recently, Chinese iOS developers have discovered a new OS X and iOS malware dubbed XcodeGhost that has appeared in malicious versions of Xcode, Apple's official toolkit for developing iOS and OS X apps.

The hack of Apple's Xcode involves infecting the compiler with malware and then passing that malware onto the compiled software.

This is a unique approach because the hack does not attempt to inject attack code into a single app, and then try and sneak that past Apple's automated and human reviewers.

Instead, the malicious code is infected on Xcode itself, which is used by software developers to craft and develop the apps for iOS and OS X operating system.

The primary behavior of XcodeGhost in infected iOS apps is to collect information on devices and upload that data to command and control (C2) servers.

Once the malware has established a foothold on infected devices, it has the ability to phish user credentials via fake warning boxes, open specific URLs in a device's web browser, and even scrape the clipboard.

The current feature set of XcodeGhost is not necessarily what should alarm security experts. Instead, the primary concern should come from its ability to get past Apple's review process, which is typically known for its careful inspection of apps allowed to be published to its official app store.

Since XCode is one of the main tools used to produce Apple software for both Apple Mac computers and iPhones, this could potentially impact millions of users.

PaloAlto Networks identified nearly 50 infected applications on the iOS (iPhone) platform alone, which was then increased exponentially with the discovery of more than 4,000 infected apps by FireEye researchers.

The popular instant messaging app WeChat, Chinese Uber-like cab service Didi Kuaidi, photo editor Perfect365, music streaming service NetEase, and card scanning tool CamCard, were found to be infected by the malicious Xcode.

The infected iOS apps receive commands from the attacker via the command and control server to perform the following actions:
  • Prompt a fake alert dialog box to steal user credentials (username and password).
  • Trick user to open specific URLs that could allow for exploitation of bugs in the iOS system or other iOS apps.
  • Read and write data to the user's clipboard – to read the user's password if that password is copied from a password management tool.
Apple removed the malicious XcodeGhost apps from its official app store, but some affected apps may remain available for download.

Help is on the way


AlienVault, the leading provider of Unified Security Management™ solutions and crowd-sourced threat intelligence, can help. Their team of security experts continues to perform cutting-edge research on threats like these, collecting large amounts of data and then creating expert threat intelligence as a result.

The Labs team has already released IDS signatures and a correlation rule to the AlienVault Unified Security Management (USM) platform so customers can identify activity related to this exploit:
  • Exploitation & Installation
  • Trojan infection
  • XCodeGhost
For further investigation into XCodeGhost, visit the Open Threat Exchange (OTX) and see what research members of the community have done.

Learn more about AlienVault USM:

Apple advises that users should update the affected apps to fix the issue. It is also good practice to change your Apple iCloud account and other passwords, in case you have accidentally fallen victim to one of these hacking attempts.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.