The message started appearing in Chinese developer forums about six months ago: A high-speed download site for Apple's latest Xcode development environment was now available.
Because the hefty 3.6GB free software package often slowed downloads in China, many developers took advantage of the link, which sent them to a page that listed all recent versions of Xcode, from 6.0.1 to 7, according to an analysis by network security firm Palo Alto Networks. Yet the software was not what it seemed: Malicious attackers had embedded a Trojan horse into many of the programs. Any program built with the infected software would collect information on the iOS device on which the app ran and send that information to a command-and-control server.
The attack resulted in a large number of infected applications--reportedly more than a thousand—invading the Apple App Store in China. In addition, some internationally popular programs—such as WeChat, which boasts 500 million users—were infected by developers using the compromised Xcode package.
In the end, the attack showed that developers are now seen as a step along the path to targeting hundreds of millions of mobile users, Ryan Olson, director of threat intelligence for Palo Alto Networks, told eWEEK.
"I think it should be a wake-up call for developers," he said. "If the eventual goal is to infect users' systems, then developers have become a really important step to getting to that. You have a big target on your back, all of the sudden."
The attack could have been worse. While millions of users likely downloaded infected applications, the software merely could have leaked users' information, and it is unclear whether it did. In addition, when developers patched their programs, and users updated, the malicious code disappeared along with the older version of the apps.
"We have no information to suggest that the malware has been used to do anything malicious or that this exploit would have delivered any personally identifiable information had it been used," Apple said in a statement. "We’re not aware of personally identifiable customer data being impacted, and the code also did not have the ability to request customer credentials to gain iCloud and other service passwords."
Trusting the Compiler Is Hard
Yet while XcodeGhost turned out to be a less-than-tangible threat, the attack provided some tangible lessons for consumers, developers and Apple. Developers have to take the security of their tools, both hardware and software, more seriously.
"It is definitely a supply-chain issue," said Palo Alto's Olson. "If you can't trust your tools, you cannot trust what you produce."
Compiler malware is not new. The concept dates back at least to a 1974 Air Force security review of the Multics operating system that discussed the possibility of a compiler "trap door" that could "survive even a complete recompilation of the entire system."
Ken Thompson, the co-creator of Unix, made the concept even more famous in his 1983 Turing Award acceptance lecture "Reflections on Trusting Trust," when he described a way to insert a backdoor into programs by infecting the popular C compiler. Because the C compiler is compiled by the previous version of the compiler, a properly executed attack would not appear in any source code, but just propagate to any program built by the infected C compiler, including the next version of the software.
"The moral is obvious," Thompson wrote in a 1984 article based on the lecture. "You can't trust code that you did not totally create yourself. … I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader or even hardware microcode."