Modified versions of Xcode used to sneak malware into App Store, Apple confirms [u]

Posted:
in iPhone edited February 2020
Apple on Sunday confirmed that hackers copied and altered its Xcode development software, using it to successfully infiltrate malware into the App Store.




"To protect our customers, we've removed the apps from the App Store that we know have been created with this counterfeit software," spokeswoman Christine Monaghan told the New York Times.

About 40 infected apps made it onto the App Store, according to security researchers with Palo Alto Networks. Some of the apps were extremely high-profile, including WeChat and a popular ridesharing service, Didi Kuaidi. Palo Alto said that it was working with Apple and developers to asses the impact of the security breach. Chinese security firm Qohoo claimed that over 300 apps were infected.

The modified versions of Xcode were hosted on cloud storage run by China's Baidu. Baidu has already deleted the offending software, and Apple told the Times that it's working with developers to make sure they're using an authentic Xcode release.

It's not clear how many people may have downloaded infected apps. The embedded malware can, however, launch websites that will download additional malicious code, or generate pop-ups asking people for sensitive data. Many of the sites collecting stolen data have been shut down.

Palo Alto noted that to get a modified version of Xcode, affected developers would've had to disable Apple security features. The hackers also appear to have exploited the tendency for Chinese developers to download Xcode from local servers, since connections to Apple servers can be much slower.

Apple has traditionally positioned its platforms as being more secure than Android or Windows. In fact the strict rules and review process for the App Store have generally kept out most malware, but the size of this latest breach is unprecedented.

Update: WeChat developer Tencent noted to AppleInsider that a fixed version of the app, 6.2.6, is already out on the App Store.
«134

Comments

  • Reply 1 of 72
    China's government fingerprints are all over this.
  • Reply 2 of 72
    This is nasty business. Hopefully Apple can develop an automated way to detect whether developers are using legitimate versions of development tools as part of the App Store approval process.
  • Reply 3 of 72
    nasserae wrote: »
    China's government fingerprints are all over this.

    Or the US Government, honestly. I wouldn't put this past the NSA.
  • Reply 4 of 72
    sennensennen Posts: 1,472member

    Stupid fucking developers.

  • Reply 5 of 72
    Quote:
    Originally Posted by sennen View Post

     

    Stupid fucking developers.




    What if it was intentional on their side? Then it is Apple who is stupid by letting Trojan horses easily bypass all App Store filters.

    The worst part is that it is going to be cat-and-mouse game for some time. For sure Apple is going to fix the filters which will be tuned to catch specific payloads, but will they be able to make a general fix against all possible future variations of XCode hacks?

    In the mean time I simply stop buying any apps from no-name developers.

  • Reply 6 of 72
    I thought Apple had a remote kill switch for each app installed on an any iPhone, should the need arise. This would seem to be a case where that feature would be used but there is no mention of Apple taking such a step.
  • Reply 7 of 72
    It continues to amaze me that people fear the US government more than the fear the very active, very visible and very dangerous hacking activities of Russian gangs; The Russian, Chinese and North Korean governments; and, "run-of-the-mill" hackers out to steal your credentials and drain your credit and bank accounts.

    It's like worrying about the Keystone Cops while cheering on Ma Barker, Al Capone and Bonnie and Clyde. (If you don't get the references, use Bing.)
  • Reply 8 of 72
    calicali Posts: 3,494member
    The fandroid's are gonna have a field day, no field YEAR over this one. You won't hear the end of it while they deal with hundreds of malicious exploits, StageFright and ransomware.
  • Reply 9 of 72
    Quote:

    Originally Posted by cali View Post



    The fandroid's are gonna have a field day, no field YEAR over this one. You won't hear the end of it while they deal with hundreds of malicious exploits, StageFright and ransomware.

    Sigh.

     

    Why be the first to start with the trolling then? Does it make you feel good?

     

    If and when "fandroids" say anything about it on these forums have a ball trolling. 

     

    Please, just stop it and please be better.

     

    Apple seems to be taking care of it. If anything we should be commending them on their actions.

  • Reply 10 of 72

    Yes, nobody in their right mind thinks the Chinese government is not involved in that... Really, a false Xcode and a dev of a major app uses that... Really... Come on. Please.... F*cking BS.

     

    Something so complex is not done by run of the mill hackers, this has "government ressource" hack written all over it.

     

    This smell like total absolute sh****t.

     

    Apple can't point the Chinese gov, even if they knew they were involved, but they need to react to this by looking at the code or any app updated in the last year with a fine tooth comb even if it takes them 100M dollars to do it. Also, they should lock down Xcode, and ask everyone to resubmit with it.

  • Reply 11 of 72
    So I'm using CamCard, lady updated April this year. It's mentioned in the list of affected apps, no mention of which version is clean. However, the timeframe would fit within the compromised Xcode versions. It's still on the AppStore. Does that mean it's not affected?
    Not cool.

    I'm thinking to move to another app altogether since a device that uses Xcode from "somewhere" doesn't spawn much trust. Even if some coding may have been outsourced. Any recommendations?
  • Reply 12 of 72
    This is some brilliantly carefully crafted malware... I wonder just how much could potentially be hidden in an app, this way.. Shurg..
  • Reply 13 of 72
    I have not heard of an exploit quite like this before, however I am not a dev so my knowledge is admittedly sparse here.
    This could be a good thing though. Apple knows what to look for next time.

    There are some interesting theories as to whether the Red Army are involved. Wasn't there a cyber summit on between Obama and Xí Jìnpíng right now?

    I wonder if there is a connection there.
  • Reply 14 of 72

    Apple can always shut down the apps and force the developers to issue a clean newly compiled version. 

    Apps can also be automatically screened for identified malware code.

    And developers who keep breaking the rules can be banned.

     

    The situation is a lot easier to correct than on Android.

  • Reply 15 of 72
    The other thing I don't understand; there are apps, mostly games, that "check for updates" during launch, and download updated content. Could this potentially be used to install malware?
  • Reply 16 of 72
    lostkiwi wrote: »
    I have not heard of an exploit quite like this before, however I am not a dev so my knowledge is admittedly sparse here.
    This could be a good thing though. Apple knows what to look for next time.

    There are some interesting theories as to whether the Red Army are involved. Wasn't there a cyber summit on between Obama and Xí Jìnpíng right now?

    I wonder if there is a connection there.

    As far as I read the Xcode versions affected were uploaded starting one year ago. So regarding your question: not likely.
  • Reply 17 of 72
    foggyhill wrote: »
    Yes, nobody in their right mind thinks the Chinese government is not involved in that... Really, a false Xcode and a dev of a major app uses that... Really... Come on. Please.... F*cking BS.

    ***Something so complex is not done by run of the mill hackers, this has "government ressource" hack written all over it.***

    This smell like total absolute sh****t.

    Apple can't point the Chinese gov, even if they knew they were involved, but they need to react to this by looking at the code or any app updated in the last year with a fine tooth comb even if it takes them 100M dollars to do it. Also, they should lock down Xcode, and ask everyone to resubmit with it.

    Yeah, because a couple of intelligent guys just fooling around that just happen to be going to the same high school create an almost trillion $ company... can only happen in America, right?

    With that stupid comment aside: my concern is that the Android fans will surely come up with the idea that, "if China can do it, then surely the security forces around the world including the NSA in America, can do the same thing".

    Hard dispel that very possibility... UNLESS you agree with my first snarky statement.
  • Reply 18 of 72
    Quote:

    Originally Posted by ThePixelDoc View Post





    Yeah, because a couple of intelligent guys just fooling around that just happen to be going to the same high school create an almost trillion $ company... can only happen in America, right?



    With that stupid comment aside: my concern is that the Android fans will surely come up with the idea that, "if China can do it, then surely the security forces around the world including the NSA in America, can do the same thing".



    Hard dispel that very possibility... UNLESS you agree with my first snarky statement.

     

    Not quite sure what you means about that? The kind of things done it the 1970s in a garage is nothing compared to what supposedly happened here. And from Apple in the 1970s to writing now there is a lifetime or changes and innovation. It's a different world completely.

     

    Considering that Apple makes a huge amount of money in China so they'll have to tip toe around this, but Cook will be pissed off about this for sure.

  • Reply 19 of 72
    foggyhill wrote: »
    Not quite sure what you means about that? The kind of things done it the 1970s in a garage is nothing compared to what supposedly happened here. And from Apple in the 1970s to writing now there is a lifetime or changes and innovation. It's a different world completely.

    Considering that Apple makes a huge amount of money in China so they'll have to tip toe around this, but Cook will be pissed off about this for sure.

    Please explain... because we don't KNOW yet what happened here exactly and for a fact.

    It very well could be just another group of kids (yes they are a bit more connected outside of the city they live in) and sharing an easy and faster download through a storage locker. Other parties privy to that software surely could have hacked it, including the government (in)security apparatus, I'm not disputing that at all. We just don't know any of that as fact just yet.

    Government tampering: if China can do it, so can the intelligence agencies around the world. And if not via sharing lockers, then via packet/download intercepts and WiFi/router holes between developers and official Apple.

    The fact that x-code can be tampered with AND spoofed apps can be deployed to the App Store... is actually the HUGE problem here. So yeah, Apple needs to get on this quick... but can they really stop it now and in the future? That's the big question that they need to answer to back up their (and our!) equally big claims of superiority over the competitors.

    Re: not the 70's -- are you sure that we're living in completely different times? Are you saying the Cold War wasn't real and still ongoing? That we weren't and still are being manipulated by media and propaganda just like always? That there weren't, and still are, those in government around the world that are intent upon keeping us all in the dark, at each others throats, to promote their own small-penis and power-hungry objectives, AND to make money from it all at the same time?

    Questions to consider, and added detail into "what I was getting at".

    Technology-wise: of course we live in different times. Although oddly enough the first little project the Steve & Steve Co. created was to tap pay phones. That's a one-way ticket to Gitmo these days depending on your faith and color of skin... although quite possibly to the White House and a scholarship at MIT if it can be used to further a political objective.
  • Reply 20 of 72
    Quote:

    Originally Posted by macaholic_1948 View Post



    It continues to amaze me that people fear the US government more than the fear the very active, very visible and very dangerous hacking activities of Russian gangs; The Russian, Chinese and North Korean governments; and, "run-of-the-mill" hackers out to steal your credentials and drain your credit and bank accounts.



    It's like worrying about the Keystone Cops while cheering on Ma Barker, Al Capone and Bonnie and Clyde. (If you don't get the references, use Bing.)

     

    all hackers are dangerous for society and every person. They can steal you money, credential, freedom and life. Every body has to make its oder what is for him most valuable. And none of hackers group is completely under control of any government. And governments are usually puppets.

Sign In or Register to comment.