The XcodeGhost Plague – How Did It Happen?

The iOS app store has traditionally been viewed as a safe source of apps, thanks to Apple’s policing of its walled garden. However, that is no longer completely the case, thanks to the discovery of multiple legitimate apps in the iOS app store that contained malicious code, which was dubbed XcodeGhost.

So, how did XcodeGhost happen? Xcode (Apple’s toolkit for developing on their various platforms) has been a challenge for Chinese developers to download from official sources because of its size (multiple gigabytes) and the slow connection speed to Apple’s servers. (For Chinese users, access to sites within China is much faster than sites outside the country.) As a result, many Chinese iOS app developers did not download Xcode from official sources. Instead, they resorted to downloading copies that were hosted on local file-sharing sites and posted in various online forums:

Figure 1. Forum post advertising Xcode copies

Unfortunately, these copies added a new CoreService development framework to replace the original which contained malicious code. As result, every app built with these tools contained the malicious code. The screenshots below show how a malicious URL was added into the code, which would be accessed by the apps created with the malicious tools. The first screenshot is from a modified version of Xcode 6.2; the other is from a modified version of 6.4. The modified version of 6.4 attempts to hide the malicious URL in order to confuse researchers and security software. (The latest version offered for download by Apple is Xcode 7, with a beta for 7.1 available as well.)

Figure 2. Modified version of Xcode 6.2

Figure 3. Modified version of Xcode 6.4

Infected Apps

Here are some of the apps which include the XcodeGhost code. However, due to the widespread use of these copies of Xcode downloaded from other sources, other apps may be affected as well. Do take note that the apps in bold text can still be found in the app store.

BundleID	Version	AppLabel
com.51zhangdan.cardbox	5.0.1	51卡保险箱
com.cloud1911.mslict	1.0.44	LifeSmart
cn.com.10jqka.StocksOpenClass	3.10.01	炒股公开课
com.xiaojukeji.didi	3.9.7	嘀嘀打车
com.xiaojukeji.didi	4.0.0	滴滴出行
com.xiaojukeji.dididache	2.9.3	滴滴司机
com.dayup11.LaiDianGuiShuDiFree	3.6.5	电话归属地助手
sniper.ChildSong	1.6	儿歌动画大全
com.rovio.scn.baba	2.1.1	愤怒的小鸟2
com.appjourney.fuqi	2.0.1	夫妻床头话
com.autonavi.amap	7.3.8	高德地图
com.stockradar.radar1	5.6	股票雷达
cn.com.10jqka.TheStockMarketHotSpots	2.40.01	股市热点
com.jianshu.Hugo	2.9.1	Hugo
com.wdj.eyepetizer	1.8.0	Eyepetizer
com.iflytek.recinbox	1.0.1083	录音宝
com.maramara.app	1.1.0	马拉马拉
com.intsig.camcard.lite	6.5.1	CamCard
com.octInn.br	6.6.0	BirthdayReminder
com.chinaunicom.mobilebusiness	3.2	手机营业厅
cn.12306.rails12306	2.1	铁路12306
cn.com.10jqka.IHexin	9.53.01	同花顺
cn.com.10jqka.IphoneIJiJin	4.20.01	同花顺爱基金
cn.com.gypsii.GyPSii.ITC	7.7.2	图钉
com.netease.videoHD	10019	网易公开课
com.netease.cloudmusic	2.8.3	网易云音乐
com.tencent.xin	6.2.5	微信
com.tencent.mt2	1.10.5	我叫MT 2
com.gemd.iting	4.3.8	喜马拉雅FM
com.xiachufang.recipe	48	下厨房
cn.com.10jqka.ThreeBoard	1.01.01	新三板
com.simiao-internet.yaodongli	1.12.0	药给力
com.gaeagame.cn.fff	1.1.0	自由之战

Pushing Apps

Faced with pressure, the XcodeGhost author has since released a letter of apology, along with the source code. Looking into the code, we found that aside from leaking information, the code can remotely push apps. Victims will be directed to the designated app in the app store. In addition, XcodeGhost can also be used to send notifications to the user, which can be used for malicious purposes such as fraud and phishing.

Figure 4. Snippet of released source code

Affected Countries and Regions

Based on our monitoring, we found that China is the most affected country. However, the North American region was also hit hard by XcodeGhost. This isn’t that surprising, considering that several apps that are known to have been infected are available outside of China.

Figure 5. Affected countries