iCloud phishing attack hooks 39 iOS apps and WeChat

Repacked malicious Xcode framework flogged on Chinese watering hole dev sites

Got Tips? 21 Reg comments

Millions of Apple users are at risk from malicious yet legitimate apps uploaded to the official App Store, which are being used in "unprecedented", live iCloud phishing attacks.

The 39 identified apps, including WeChat one of the most popular instant messaging clients in the world, were compiled using a malicious version of the Xcode app building framework that criminals had infected.

The bad Xcode package was spread to developers through posts on forums they frequently visited. The links to the Balidu file-sharing site were advertised as a faster source to download the 3GB file than from official Apple servers.

The attack means users of popular apps including banking and telco software built with the repacked malicious Xcode are open to having iCloud credentials stolen, along with various phone datasets.

Other infected apps include China's official rail ticket purchasing app, its biggest mobile carrier Unicom and one of the most popular stock trading apps in the country.

Users outside of China have also been affected by the phishing attack.

The mainstay WinZip decompression app, the Mercury Browser and Musical.ly are also currently being targeted.

Developers have scrambled to update their apps to scrub out the malicious code contained in the latest official updates.

News of the hacked Xcode surfaced on a Chinese dev forum and was further analysed and broadcast by PaloAlto threat bod Claud Xiao.

"According to one developer’s report, XcodeGhost has already launched phishing attacks to prompt a dialogue asking victims to input their iCloud passwords," Xiao said.

"Based on this new information, we believe XcodeGhost is a very harmful and dangerous malware that has bypassed Apple’s code review and made unprecedented attacks on the iOS ecosystem. The techniques used in this attack could be adopted by criminal and espionage focused groups to gain access to iOS devices."

iDevice information is captured and sent to an attacker's command and control servers. From there, device data is being used to create phishing attacks to steal victim iCloud passwords.

It can exploit further iOS vulns and siphon clipboard data. Xiao said a minor change to the clipboard code would allow it to steal passwords copied and pasted from vaults such as Password1 and LastPass.

The iCloud phishing attack described by Xiao was first revealed on Chinese developer forums after one coder created a benign app with the compromised Xcode framework and noticed the app threw anomalous and persistent requests for iCloud passwords.

"Based on [the developer's] account of the events, we believe that stealing passwords or potentially exploiting vulnerabilities in iOS and in legitimate applications may be the true purpose of XcodeGhost," Xiao said.

The PaloAlto bod has published technical details of how the malicious Xcode works.

It is not the first infected compiler to surface but is a stealthy and efficient means to infect apps.

Developers of in-house enterprise iOS apps who never submit their apps to Apple's App Store for review are especially vulnerable to malicious compilers.

For this reason Xiao recommended that users should only download from the official App Store.

The news comes after Sydney researcher Mark Dowd revealed holes in iOS AirDrop that allowed legitimate apps to be silently replaced with malicious doppelgängers. ®

Sponsored: Ransomware has gone nuclear


Keep Reading


Seriously, this sh!t again? 24m medical records, 700m+ scan pics casually left online

Whole pile of US data just sitting there with no security
annoyed doctor on pc

Medical biz LifeLabs fesses up: Hackers slurped 15 million customer records – and we paid them to hand it all back

Stick a fork in 2019, we're done, eh
Someone in a disguise next to Microsoft icons

Download this update from mybrowser.microsoft.com. Oh, sorry, that was malware on a hijacked sub-domain. Oops

Lax DNS leaves door wide open for miscreants to impersonate Windows giant on its own websites
Microsoft sign at Ignite in Orlando

WindiLeaks: 250 million Microsoft customer support records dating back to 2005 exposed to open internet

Quickly shuttered partially redacted leaky DB included 'internal notes marked as confidential'
Illustration of an AI-powered robot doctor diagnosing someone

Don't believe the hype: Today's AI unlikely to best actual doctors at diagnosing patients from medical scans

Majority of academic studies into hospital image processing aren't subjected to clinical testing
Doctor and patient discussing something

UK.gov is not sharing Brits' medical data among different agencies... but it's having a jolly good think about it

Ministry of Fun under pressure to admit it's going to happen

SF tech biz forks out $146m in fines, settlements after painkiller makers bribed it to design medical software that pushed opioids to patients

Practice Fusion pocketed kickbacks for crafty alerts and drop-down menu
Data leaking everywhere

It is with a heavy heart we must inform you, once again, folks are accidentally spilling thousands of sensitive pics, records onto the internet

Roundup Plus: Iranians accused of hacking IT service providers to get at their customers

Biting the hand that feeds IT © 1998–2020