Millions of Apple users are at risk from malicious yet legitimate apps uploaded to the official App Store, which are being used in "unprecedented", live iCloud phishing attacks.
The 39 identified apps, including WeChat one of the most popular instant messaging clients in the world, were compiled using a malicious version of the Xcode app building framework that criminals had infected.
The bad Xcode package was spread to developers through posts on forums they frequently visited. The links to the Balidu file-sharing site were advertised as a faster source to download the 3GB file than from official Apple servers.
The attack means users of popular apps including banking and telco software built with the repacked malicious Xcode are open to having iCloud credentials stolen, along with various phone datasets.
Other infected apps include China's official rail ticket purchasing app, its biggest mobile carrier Unicom and one of the most popular stock trading apps in the country.
Users outside of China have also been affected by the phishing attack.
The mainstay WinZip decompression app, the Mercury Browser and Musical.ly are also currently being targeted.
Developers have scrambled to update their apps to scrub out the malicious code contained in the latest official updates.
"According to one developer’s report, XcodeGhost has already launched phishing attacks to prompt a dialogue asking victims to input their iCloud passwords," Xiao said.
"Based on this new information, we believe XcodeGhost is a very harmful and dangerous malware that has bypassed Apple’s code review and made unprecedented attacks on the iOS ecosystem. The techniques used in this attack could be adopted by criminal and espionage focused groups to gain access to iOS devices."
iDevice information is captured and sent to an attacker's command and control servers. From there, device data is being used to create phishing attacks to steal victim iCloud passwords.
It can exploit further iOS vulns and siphon clipboard data. Xiao said a minor change to the clipboard code would allow it to steal passwords copied and pasted from vaults such as Password1 and LastPass.
The iCloud phishing attack described by Xiao was first revealed on Chinese developer forums after one coder created a benign app with the compromised Xcode framework and noticed the app threw anomalous and persistent requests for iCloud passwords.
"Based on [the developer's] account of the events, we believe that stealing passwords or potentially exploiting vulnerabilities in iOS and in legitimate applications may be the true purpose of XcodeGhost," Xiao said.
The PaloAlto bod has published technical details of how the malicious Xcode works.
It is not the first infected compiler to surface but is a stealthy and efficient means to infect apps.
Developers of in-house enterprise iOS apps who never submit their apps to Apple's App Store for review are especially vulnerable to malicious compilers.
For this reason Xiao recommended that users should only download from the official App Store.
The news comes after Sydney researcher Mark Dowd revealed holes in iOS AirDrop that allowed legitimate apps to be silently replaced with malicious doppelgängers. ®