Apple is cleaning up its official iOS App Store after the first large-scale attack on its walled garden mobile software site.
The Xcode development tools used by iOS app makers was copied, modified, and distributed online, by hackers to inject malicious code into apps available on the App Store, as previously reported.
Palo Alto Networks warned that the malware had infected more than 39 iOS apps – including messaging app WeChat – affecting hundreds of millions of users.
The XcodeGhost attack created a means for hackers to phish passwords and open URLs though the infected apps. One of the main aims was stealing iCloud logins.
Apps affected by the so-called XcodeGhost attack included some of the most popular apps in China, like the ride-hailing app Didi Kuaidi.
Meanwhile, Chinese internet security firm Qihoo 360 claimed it had already found almost 350 infected apps.
The fake developer code “was posted by untrusted sources", according to Apple, which said it was all over the problem.
"We've removed the apps from the App Store that we know have been created with this counterfeit software," an Apple spokeswoman told Fox Business in an email. "We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps."
Tencent, developers of the WeChat app, is also playing down the security flap: “A preliminary investigation into the flaw has revealed that there has been no theft and leakage of users’ information or money, but the WeChat team will continue to closely monitor the situation,” it said in a blog post.
Apple is known to be very strict with its application validation process and this has helped to keep iPhone and iPad users largely (but not completely) unaffected by malware.
John Smith, principal solutions architect at application security firm Veracode, said that the whole incident shook the comforting notion that iOS is safer than Android, which has had a malware and vulnerability problem for years.
"In recent years it has seemed that the problem of Mobile Malware was bigger for Android than for iOS," Smith said. "The more rigorous testing regime required before an iOS app can be published has always been considered to be the reason for this difference, but in this case it seems to have fallen short. One very interesting aspect of this incident is that the developers of the apps had no knowledge that their own code was being used to carry malware – it was the modified development environment (Xcode) that introduced the payload."
Code for XCodeGhost has been published on Github. A quick analysis by the Internet Storm Centre provides pointers on how to identify poisoned apps. ®