Hackers pulled off an unprecedented feat, lulling unwitting developers into loading thousands of iOS apps with adware, security experts said Friday.
"This is the first instance that I can recall," said Raymond Wei, senior director of mobile development at FireEye, a Milpitas, Calif. network security firm, when asked whether a top-tier app system had ever been infected through first-party development tools.
Wei was referring to the hacking campaign, dubbed "XcodeGhost" by a Chinese researcher, that took a very unusual approach to getting malicious code into iOS apps distributed via Apple's App Store. Rather than inject attack code into a single app, then try to get that past Apple's automated and human reviewers, the XcodeGhost hackers instead infected Xcode, Apple's integrated suite of software development tools for crafting apps and applications for iOS and OS X.
Xcode is available free of charge from the Cupertino, Calif. company's Mac App Store.
But the XcodeGhost gang did not infect that version of the development suite.
Instead, it modified a legitimate copy, seeded the counterfeit on a popular Chinese file-sharing service and promoted its fake-Xcode as not only the real deal, but available much faster from within China because of the service's speed advantage over trans-Pacific links to the official Apple site.
Chinese iOS developers took the bait -- hook, line and sinker. But by using the infected Xcode they unknowingly infected the apps they created with the bootleg.
When asked the same question about XcodeGhost's uniqueness, Domingo Guerra, co-founder and president of Appthority, a San Francisco-based mobile risk management vendor, agreed with Wei. However, Guerra pointed to something akin to XcodeGhost. "A year and a half ago, we saw a vulnerability in an ad network's SDK [software development kit]," he said without naming names. The vulnerability was exploited to craft ads that answered to hackers' command-and-control network.
Apple was not able to detect that the apps were, in fact, infected by XcodeGhost. "The malformed code was injected by the compiler," said Wei. "There was no baseline [hash] for Apple to compare, so it couldn't know that they were infected."
The number of apps afflicted with XcodeGhost have been in dispute. Wei said that FireEye had identified more than 4,000 before Apple began pulling them earlier this week. Guerra, on the other hand, cited a very-specific 477 that Appthority found on the App Store. Other security researchers and vendors tossed out numbers of all kinds.
Apple has not disclosed the number of affected apps, but has listed the top 25 most popular apps that were infected, and claimed that off that list, "The number of impacted users drops significantly."
Among the top infected iOS apps were WeChat, Didi Taxi, Baidu Music, Angry Bird 2 - Yifeng Li's Favorite, and Flush. The apps are most popular in China.
But iOS users outside of the People's Republic were also affected, contended both Guerra and Wei. While some iOS apps are limited to specific markets, most are not, and thus appear on Apple's numerous e-stores across the globe. Guerra said that Appthority found evidence of malformed apps downloaded by users around the world; Wei added that U.S. users were among them.
The infected apps' actions were also reported with a wide variety of claims.
Guerra and Wei said that their investigations concluded that the apps were behaving like adware, a category named for spewing unwanted and unauthorized advertisements.
"It collects all kinds of device information and sends it to a remote server," wrote Andreas Weinlein, a research and development engineer at Appthority, in a post to his firm's blog this week. "In addition, the response to those requests are able to trigger a standard iOS alert and able to open a given URL or show the App Store page of a given app."
The URL provided by XcodeGhost serves up ads, said Guerra. "It's very similar to aggressive adware," he noted, theorizing that the XcodeGhost group was financially motivated, and figured out how to monetize a large number of other developers' downloads.
Things could have been worse, Guerra and Wei agreed, if the hackers had baked more serious malware into the bogus Xcode. "There were rumors that it can steal iCloud passwords, but the original code [in XcodeGhost] does not have this ability," said Wei, who speculated that other criminals may have ridden XcodeGhost's coattails by modifying the counterfeit Xcode themselves to boost the attack code's functionality.
Apple began yanking the XcodeGhost-infected apps earlier in the week, and urged developers to retrieve the Xcode development toolkit from Apple's own servers, not elsewhere. The company also published instructions for verifying that a copy of Xcode is legitimate on its developer website.
Apple also took the unusual step of going public on the threat, including a Q&A-formatted post on its China website. (Apple did not replicate that post on its websites for other markets, however.)
"We have removed the apps from the App Store that we know have been created with this counterfeit software and are blocking submissions of new apps that contain this malware from entering the App Store," Apple stated on the post.
Apple blamed developers for the infections, saying that they had not only downloaded Xcode from an unofficial -- and by implication, untrusted -- source, but had to have turned off Gatekeeper for the infection to make it into their apps.
Gatekeeper is a feature in OS X -- the development platform for iOS as well as Mac apps -- that by default allows users to install only software downloaded from the Mac App Store or those digitally signed by a registered developer, including Apple. Gatekeeper debuted in 2012's Mountain Lion, but is often disabled by advanced users so that they can download third-party software not distributed through the Mac App Store.
Wei echoed Apple as he chastised the developers who grabbed the fake Xcode without checking its validity. "Developers have the responsibility to confirm that [Xcode] came from Apple and was unchanged," Wei said. "They should have used caution, and confirmed the hash value of the download."
Guerra warned that sneaky strategies like XcodeGhost are only part of a bigger problem. "This is a part of the trend that will only increase," he said. "As more and more users are doing things on mobile, attackers are finding more ways to infiltrate into mobile."