Update: 24th November 2015:
Since this blog post was written FireEye have continued to monitor the command and control servers (defined) of XcodeGhost to determine where devices are located that are connecting to these servers and to determine if this malware still poses a threat. They have also found an updated version of XcodeGhost that they have named “XcodeGhost S”.
FireEye have worked with Apple to remove an app from the App Store that was found to be infected with this new variant of the malware.
In addition, an app development firm Possible Mobile has detailed in a blog post how their newly updated app that was built with a verifiably legitimate version of Apple Xcode was being rejected by Apple since their app contained the XcodeGhost malware. It was eventually found that while the code written by Possible Mobile was clean, the third party libraries and frameworks used to provide essential functionality within their app were found to contain the infected code. How Possible Mobile resolved this issue, is detailed in their blog post.
How Can I Protect Myself From This Issue?
In addition to the guidance provided within the blog posts linked to below I would recommend the following:
- If you are an app developer and are submitting apps to the Apple App Store it may be worthwhile to follow the steps within Possible Mobile’s blog post concerning validating your copy of Apple Xcode and checking any third party libraries for infection.
- As detailed in FireEye’s blog post, for all of the apps installed on your Apple devices, ensure they are the latest versions. This Apple Support article explains how to enable automatic app updates. This is important since later versions of apps should not contain this malware. FireEye discovered large numbers of users (exact figures are provided in this FireEye blog post) still using older versions of their app which still contained the infected code).
- If you were using one of the apps removed by Apple from the App Store, uninstall those apps and switch to similar/alternative apps available within the App Store.
- Ensure that your Apple device is using the most recent version of iOS that is available for your device. If your device is too old to support iOS 9, this blog post may help to explain your options. Updating to most recent iOS will ensure that you are not affected by the original version of XcodeGhost. Moreover, iOS 9 and iOS 9.1 contain many fixes for other security vulnerabilities.
In recent days there has been detailed coverage of a new technique used to tamper with legitimate Apple iOS apps by adding extra code to those apps when they were being compiled (converted from human written source code into a form that a computer can use). That additional code called XcodeGhost was also found to contain a vulnerability that could allow remote access to the infected apps using a man-in-the-middle (MITM) (defined) attack as discussed in the ThreatPost article mentioned below.
In addition, a new technique used by malware authors to install a rootkit (see Aside below for a definition) on a user’s Android smartphone by having them download a popular app has also been discovered.
In order to provide advice and further information on how to protect yourself from these threats I wanted to respectfully give a shout out for the following new articles and blog posts:
- XcodeGhost continues to haunt users of the iOS App Store by Graham Cluley (writing for Lumension)
- Apple’s App Store hit by the XCodeGhost of malware present by Paul Ducklin (Sophos) (this post provides advice mainly focused on Apple iOS app developers)
- Xcodeghost Malware Stirring Up More Trouble by Michael Mimoso (Kaspersky ThreatPost)
- Apple lists 25 apps affected by XcodeGhost by John Ribeiro (ComputerWorld.com) (mentions that all infected apps have been removed from the App Store)
- Apple devs: Don’t let Apple’s Xcode validation scare you by Eric Knorr (InfoWorld.com)
- BrainTest – A New Level of Sophistication in Mobile Malware by Andrey Polkovnichenko and Alon Boxiner (CheckPoint)(Android Malware)
I hope that you find these useful in further securing your Apple iOS or Google Android based smartphone from malware.
What is a rootkit?
To provide a comprehensive definition of a rootkit I have chosen to quote from 2 well-known texts on the subject written by Reverend Bill Blunden in his book “The Rootkit Arsenal” (1st edition, Wordware Publishing 2009) and “Rootkits: Subverting the Windows Kernel” by Greg Hoglund and James Butler (Addison-Wesley, 2005). My thanks to them for providing excellent sources of information on this topic:
“A rootkit is a collection of tools (e.g. binaries, scripts, configuration files) that allow intruders to conceal their activity on a computer so that they can covertly monitor and control the system for an extended period of time by maintaining access to the root (defined) account.
While the above definition mentions a computer it still applies equally to smartphones since they run sophisticated operating systems, in this case Google Android.