Since 2003, Xcode has been Apple's premier integrated development environment (IDE), first for OS X and beginning in 2007 for iOS. Xcode, or at least a fraudulent version of Xcode, is now at the heart of a new malware attack on Apple's App Store and is affecting at least 39 apps, including We Chat, which has approximately 500 million users in Asia.
Researchers at Alibaba dubbed the Xcode malware XcodeGhost after the first reports of a new strain of iOS malware appeared on Sina Weibo. Further investigation and analysis from Claud Xiao, security researcher at Palo Alto Networks, confirmed that XcodeGhost is complier malware that was injected into unofficial Xcode installers.
"XcodeGhost's primary behavior in infected iOS apps is to collect information on the devices and upload that data to command and control (C2) servers," Xiao wrote in a blog post. "The malware has exposed a very interesting attack vector, targeting the compilers used to create legitimate Apps."
In a statement sent to Reuters, Apple claims to have removed all the apps that were created by the XcodeGhost infected version of Xcode. "We are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps," Apple stated.
Security experts eWEEK spoke with were not surprised by the new XcodeGhost attack. In fact, the basic idea of using a compiler to infect applications is one that is more than two decades old.
"The idea to infect compilers is known for a while; it was covered in widely known paper named "Reflections on Trusting Trust" by Ken Thompson from 1984," Nikias Bassen, principal mobile security researcher of Zimperium's zLabs Advanced Research and Exploitation team, told eWEEK.
There was also a real compiler attack in 2009 with W32\Induc-A, which was in the Delphi programming compiler.
"The only thing that surprises me about the XcodeGhost attack is that it took someone this long to pull it off against the iOS tool chain," Bobby Kuzma, systems engineer at Core Security, told eWEEK.
Although using a compiler to infect apps is not a new idea, there are some elements of XcodeGhost that are somewhat different. Jimmy Shah, senior security researcher at Zimperium, noted that the XcodeGhost attack is distributed as a full installation of Xcode, which is larger than 4GB.
"Previous malware that attacks compilers were all file-infecting viruses, meaning that they infected development environments that were already installed," Shah told eWEEK. "This required distributing only an infected program, generally less than 2MB, versus a complete installation disk image."
With Android malware, users can get infected by installing versions of legitimate apps that have been localized or distributed on third-party app stores, Shah said. In the same way, XcodeGhost only works since its intended targets, developers seeking local or faster Xcode downloads, are willing to install from unknown or non-official sources.
Although Apple is now taking action to remove XcodeGhost-infected apps from the App Store, it's surprising that the infected apps made it past Apple's gatekeepers in the first place, Kuzma said. "The fact that this type of attack is discussed in just about every compiler theory class makes it incredibly surprising that Apple does not have a mechanism in place for verifying that code submitted to the App Store is built using an unmodified, cryptographically verified build of their compiler," he said. "Somebody had to have been asleep at the wheel."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.