It has been observed that a compiler malwarenamed as "XcodeGhost", targeting iOS/OSX operating systems are spreading. The attacker mainly targets some versions of Apples Official tool "Xcode IDE" by embedding its malicious object file "Mach-O"into legitimate Xcode installers,repackage the installer and then finally upload the TrojanizedXcode installer on Baidu and similar cloud file sharing service for use by iOS/OSX developers. Developers may unknowingly develop malicious apps with this trojanized Xcode. These malicious apps can bypass the Apple code review leading to publishing of these malicious apps on Application store to be download by users.
The malware is capable of performing the following functions:
- Collect device information such as current time, device name and type, device UUID etc.
- Collect information such as Current infected app's name, app's bundle identifier, Current system's language and country, Network type etc.
- Make network connections to its command and control server.
- Prompt a fake alert dialog to phish user credentials;
- Hijack opening specific URLs based on their scheme, which could allow exploitation of vulnerabilities in the iOS system or other iOS apps;
- Read and write data in the user's clipboard, which could lead to disclosure of sensitive information.
- Upload exfiltrated data to attacker's server.
It has also been reported that genuine and unaffected version of Xcode IDE are also found on Baidu cloud file share, "XcodeGhost" affects some version (i.e. version6.1 to 6.4, Xcode 7)of Xcode IDE. The links of trojanized Xcode installer is posted on various forums or websites frequently visited by iOS developers, which includes Douban, SwiftMi, CocoaChina, OSChina, etc.
Aliases: TrojanSpy: iOS/XcodeGhost!rfn [Microsoft], TrojanSpy:iOS/XcodeGhost.A [Microsoft],OSX.Codgost [Symantec],IOS.Codgost [Symantec], BACKDOOR:PHONEOS/XCODEGHOST [f-Secure], Trojan.MAC.OSX.XcodeGhost.[f-Secure], XcodeGhost.[f-Secure], PhoneOS.Trojan.XcodeGhost.7 [Dr. Web], Gen:Variant.Trojan.MAC.OSX.XcodeGhost.1[ G Data], HEUR:Trojan.OSX.XcodeGhost.a [Kaspersky],
OSX/XcodeGhost.D.1[ Avira], iPh/XcdGhost-C [Sophos]
The malicious or repackaged installer targets the "CoreServices" component of the genuine Xcode package. This component is a Mach-O object file that is used by LLVM linker and can't directly execute in any way. This "CoreServices" object file is responsible for running fundamental system services for iOS devices.
Attacker injects its malicious code into this "CoreService" object file and repackage the Xcode installer leading to the inclusion of the malicious "CoreServices" file in the iOS apps compiled using infected Xcode without the developers consent.
These apps when installed by the users make use of the malicious "CoreServices" file which run system services and collects device information to be posted to the Command and Control server
Code Snippet to show collected Device information:
Indicators of Compromise:
Files Added by the attacker in the legitimate Xcode installer are:
The Trojan may send the stolen information to the following location using HTTP POST:
Note: 39 apps reported as malicious are mentioned here.
- Enable two-step verification for your Apple ID
- Developers should always directly download official development tools from official channels. This includes downloading Xcode, SDKs and the Command Line Tools from Apple's websites or from Mac App Store, and downloading third-party libraries such as Unity3D from their original providers.
- Developers set the Gatekeeper protection level to default value in their Mac computers for development, for integration and for deployment. To do this, go to System Preferences, Security & Privacy, and set only allowing apps downloaded from "Mac App Store and identified developers."
- Check the integrity of development tools and libraries before a new version of product by the "codesign" utility or by hash values checking.
- Install applications from trusted application stores only.
- If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request.
- Do not accept applications that are unsigned or sent from unknown sources.
- Turn off and remove unnecessary services