Modified versions of Xcode used to sneak malware into App Store, Apple confirms [u]

24

Comments

  • Reply 21 of 72
    It continues to amaze me that people fear the US government more than the fear the very active, very visible and very dangerous hacking activities of Russian gangs; The Russian, Chinese and North Korean governments; and, "run-of-the-mill" hackers out to steal your credentials and drain your credit and bank accounts.

    It's like worrying about the Keystone Cops while cheering on Ma Barker, Al Capone and Bonnie and Clyde. (If you don't get the references, use Bing.)

    1. Because the US government is known to do this same kind of stuff and to be currently waging political war against tech companies for not granting them a back door so they can cheat when doing surveillance (and not have to do their own work to get access). Who's to say they're not taking the situation into their own hands with this very exploit? The NSA is immune to law, so the DMCA and Patriot act computer terrorism language doesn't apply to them (as in, the government sides with itself when such things come to light, and instead they attack the whistle blowers, make the people attack the whistle blowers, instead of reigning in its unlawful behavior... well, what would be unlawful of anyone ELSE to do...).

    2. Because the USA is a known bully in international affairs, which has been ruining its reputation in the global sense for decades now.

    3. Because there are American citizens that resent being spied on by their OWN government more than they resent being attacked by foreign computer geek groups (regardless of how government sponsored those hack/crack geeks are or not).

    Need we keep listing reasons???

    EDIT: such as how a large percentage of impacted users are Chinese...
  • Reply 22 of 72
    Quote:

    Originally Posted by jameskatt2 View Post

     

    Apple can always shut down the apps and force the developers to issue a clean newly compiled version. 

    Apps can also be automatically screened for identified malware code.

    And developers who keep breaking the rules can be banned.

     

    The situation is a lot easier to correct than on Android.


    How is it easier to correct than on Android? Sure the stagefright bug is more tough due to the nature of how all carriers/OEM's need to be on board, but if looking at solely Play Store/App Store issues, Google also screens/scans apps for malicious code and ban devs for breaking rules. 

  • Reply 23 of 72
    MacProMacPro Posts: 19,718member
    So much speculation in this thread ...

    For once a far better and more definitive article on MacRumors including apps to remove immediately.

    http://www.macrumors.com/2015/09/20/xcodeghost-chinese-malware-faq/
  • Reply 24 of 72
    dewmedewme Posts: 5,335member
    Quote:


     Palo Alto noted that to get a modified version of Xcode, affected developers would've had to disable Apple security features. The hackers also appear to have exploited the tendency for Chinese developers to download Xcode from local servers, since connections to Apple servers can be much slower.


     

    Not surprising that developers would circumvent security Apple's security measures. It is surprising that Apple's approval process would let malformed applications get through the screening process. Apple needs better automated tools and processes to weed out bad actor apps. Governments need better tools to identify, locate, and annihilate the creators of malware.

     

    This reminds us that security is a problem just continues to get bigger and badder every day. Every one of the things that mankind has created to make our lives better through the application of technology over the last 50 years is at risk of being attacked and destroyed. The current approaches to software security seems to be too piecemeal and reactionary. Until the fundamental DNA-level of how software is created and executed, down to the bare metal level, is recreated to be inherently secure then we'll be in a never ending game of whack-a-mole. The days of putting the largest onus of security enforcement (authorization, authentication, non-repudiation) on the software alone needs to come to an end. 

  • Reply 25 of 72
    docno42docno42 Posts: 3,755member
    It continues to amaze me that people fear the US government more than the fear the very active, very visible and very dangerous hacking activities of Russian gangs; The Russian, Chinese and North Korean governments; and, "run-of-the-mill" hackers out to steal your credentials and drain your credit and bank accounts.

    Conspiracies are always more interesting than reality :p

    People always want to believe. Heck it was the tag line for the X Files...
  • Reply 26 of 72
    docno42docno42 Posts: 3,755member
    Hard dispel that very possibility... UNLESS you agree with my first snarky statement.

    Sigh - the solution to this "problem" is simple - download Xcode only from Apple!

    The most basic tenant of computer security - know the chain and trust the source of the code you are running. People are downloading locally because Apple's servers tend to be slower - seriously?!? Slower than a 28.8 modem?

    Choosing convenience over security - and amazingly that causes problems. I love how people are jumping all over these weird philosophical discussions when the root issue is so incredibly stupid as well as EASY to solve. Don't be an idiot! Looks like the best thing Apple can do is put a caching server behind the great firewall if China will let them.

    This is a problem created entirely by the government of China and their warped internet policies. Whether it was an intended outcome or a happy by product, I would be shocked if they weren't pleased knowing it was at least possible.
  • Reply 27 of 72
    docno42docno42 Posts: 3,755member
    MathieuLLF wrote: »
    How is it easier to correct than on Android? Sure the stagefright bug is more tough due to the nature of how all carriers/OEM's need to be on board, but if looking at solely Play Store/App Store issues, Google also screens/scans apps for malicious code and ban devs for breaking rules. 

    Yup - Google has similar capabilities if users download from the play store - but it's far easier to get bad stuff on the play store in the first place, and also it's far easier to load stuff from places other than the play store!

    So yes, it's far easier for Apple to correct something like this when discovered and have a lot greater confidence that the problems can be cleaned up. Fundamental differences in how the platforms are architected ensure it. No one platform is perfect as this proves - but iOS is far easier to secure and keep secure.
  • Reply 28 of 72

    A lot of noise here and a bit too much hyperbole and hysteria here.

     

    With a tip from a forum and after some short research I found the following:

     

    1. There’s the code on Github

     

    https://github.com/XcodeGhostSource/XcodeGhost

     

    Perhaps someone can point me to problematic code here. I didn’t find anything that’s obviously malicious. Maybe I’m wrong, but it looks like doing the same as those crashlog, app usage things like flurry that are unfortunately common nowadays.

     

    The code sends data to cloud-analysis.com. The domain was anonymously registered.

     

    NSURL *url = [NSURL URLWithString:@"http://init.icloud-analysis.com"];

     

    The code does read device and user values available for every developer. A reason to delete the app because of hurting privacy rules.

     

    I wonder who found evidence that iCloud account data was breached here. I don’t say it’s impossible, but I would rule it out from what I saw until now.

     

     

    2. That’s in fact the code you find when you decompile the app CamScanner

     

    What I did after I got a total panic and found it on my phone.

     

    If this is the whole code I don’t see anything to be concerned.

    I will follow the news closely in order to find more if available.

     

    3. Why I’m still a bit worried

     

    First of all apps that communicate with domains that have neither a valid SSL certificate nor a proper Information about the domain owner should not be allowed in the App Store. (I know that will cause a lot of headache for smaller developers. At least anonymous domains should be dropped.)

    It’s at least a big privacy problem that should be addressed.

     

    Second, I can imagine attack vectors through Xcode. And I'm sure secret services and criminal groups are working on it.

    Developers use plugins, third party libraries etc.

    It’s possible to breach devices this way. But the same is true for every IDE.

    Otherwise there would be no malicious code at all.

     

    At least Apple should think about ways to suppress modified copies of it’s developer tools in order to prevent spreading this kind of BS.

  • Reply 29 of 72
    Quote:

    Originally Posted by Palo Alto Security Firm View Post

    Infected iOS apps

    ????? 2.8.3

    ?? 6.2.5

    ????? 5.1.1463

    ???? 4.0.0.6-4.0.0.0

    ???? 3.9.7.1 – 3.9.7

    ??12306 4.5

    ??? 4.3.2

    51???? 5.0.1

    ???????? 3.3.12

    ????????? 3.2

    ???? 7.3.8

    ?? 2.9.1

    ?? 1.8.0

    Lifesmart 1.0.44

    ????? 4.2.8

    ???? 1.1.0

    ??? 1.12.1

    ???? 4.3.8

    ???? 1.6.0

    ??? 9.60.01

    ????? 7.73

    ????

    ????

    ????

    CamScanner

    CamCard

    SegmentFault 2.8

    ?????

    ????

    ???

    ????

    OPlayer 2.1.05

    ??????? 3.6.5

    ?????2 2.1.1

    ????? 1.2

    ?? 6.6.6

    ??MT 5.0.1

    ??MT 2 1.10.5

    ???? 1.1.0

     

    Damn! What's the chances, I just downloaded every single one of those. I have a penchant for apps with squiggly names.

  • Reply 30 of 72
    icoco3icoco3 Posts: 1,474member
    Quote:
    Originally Posted by AppleInsider View Post


    ...

    About 40 infected apps made it onto the App Store, according to security researchers with Palo Alto Networks. Some of the apps were extremely high-profile, including WeChat and a popular ridesharing service, Didi Kuaidi. Palo Alto said that it was working with Apple and developers to asses the impact of the security breach. Chinese security firm Qohoo claimed that over 300 apps were infected.

    ...

     

    I assume they will just wipe it clean...

  • Reply 31 of 72
    MacProMacPro Posts: 19,718member
    evilution wrote: »
    Damn! What's the chances, I just downloaded every single one of those. I have a penchant for apps with squiggly names.

    The second part of the list which you missed has many more common and English titled apps.

    Mercury
    WinZip
    Musical.ly
    PDFReader
    guaji_gangtai en
    Perfect365
    ?????
    PDFReader Free
    WhiteTile
    IHexin
    WinZip Standard
    MoreLikers2
    CamScanner Lite
    MobileTicket
    iVMS-4500
    OPlayer Lite
    QYER
    golfsense
    ???
    ting
    installer
    ???
    golfsensehd
    Wallpapers10000
    CSMBP-AppStore
    ????
    MSL108
    ChinaUnicom3.x
    TinyDeal.com
    snapgrab copy
    iOBD2
    PocketScanner
    CuteCUT
    AmHexinForPad
    SuperJewelsQuest2
    air2
    InstaFollower
    CamScanner Pro
    baba
    WeLoop
    DataMonitor
    ??
    MSL070
    nice dev
    immtdchs
    OPlayer
    FlappyCircle
    ????
    BiaoQingBao
    SaveSnap
    WeChat
    Guitar Master
    jin
    WinZip Sector
    Quick Save
    CamCard
  • Reply 32 of 72
    docno42 wrote: »


    Sigh - the solution to this "problem" is simple - download Xcode only from Apple!

    <SNIPPED>

    From my other post in this thread in case you missed it:

    Government tampering: if China can do it, so can the intelligence agencies around the world. And if not via sharing lockers, then via packet/download intercepts and WiFi/router holes between developers and official Apple.

    You see... the problem is that xCode AND hence Apple App Store can be spoofed into "thinking" and/or not seeing the apps created from a derivative of xcode.

    Has really not a whole lot to do with where xcode is downloaded, because that can be compromised easily even if you think it's directly from Apple.
  • Reply 33 of 72
    boredumbboredumb Posts: 1,418member

    It's nice that folks eventually did what the article should and could have: posted lists or links to them.

    I had a weird experience probably unrelated to this two days ago when I purchased Purify in the App Store,

    and rather than use my account info without question, I was required to verify and re-verify my payment info.

    Maybe it had to do with updating to iOS9, since 'wallet' seems a little different than passbook or whatever it was before.

    Anyone else had this happen after updating to iOS9?

  • Reply 34 of 72
    icoco3icoco3 Posts: 1,474member
    Quote:

    Originally Posted by boredumb View Post

     

    It's nice that folks eventually did what the article should and could have: posted lists or links to them.

    I had a weird experience probably unrelated to this two days ago when I purchased Purify in the App Store,

    and rather than use my account info without question, I was required to verify and re-verify my payment info.

    Maybe it had to do with updating to iOS9, since 'wallet' seems a little different than passbook or whatever it was before.

    Anyone else had this happen after updating to iOS9?




    Vaguely remember previous updates you have to do that.  Update to Terms of Service usually.  I could be wrong.  To test, I just went and bought Purify and only had to put in password for the App Store.

  • Reply 35 of 72
    dysamoria wrote: »
    1. Because the US government is known to do this same kind of stuff and to be currently waging political war against tech companies for not granting them a back door so they can cheat when doing surveillance (and not have to do their own work to get access). Who's to say they're not taking the situation into their own hands with this very exploit? The NSA is immune to law, so the DMCA and Patriot act computer terrorism language doesn't apply to them (as in, the government sides with itself when such things come to light, and instead they attack the whistle blowers, make the people attack the whistle blowers, instead of reigning in its unlawful behavior... well, what would be unlawful of anyone ELSE to do...).

    2. Because the USA is a known bully in international affairs, which has been ruining its reputation in the global sense for decades now.

    3. Because there are American citizens that resent being spied on by their OWN government more than they resent being attacked by foreign computer geek groups (regardless of how government sponsored those hack/crack geeks are or not).

    Need we keep listing reasons???

    EDIT: such as how a large percentage of impacted users are Chinese...
    Believe me... You are not so important that the US government will feel the need to spy on you. And, if you were because of your suspicious activity, then too bad. Hackers, not the US government steal from everyday people and corporations to the tune of billions of dollars. Worry about them. As for the US spying on Chinese citizens— even if they did, it would be a drop in the bucket to the spying done by the Chinese on its own citizens.

    You really need to re-evaluate your concerns. The US is not near the nefarious culprit you think. Even its infamous NSA eavesdropping efforts collects more information than they can ever peruse. Their computers look for known phone numbers and key words and phrases. The likelihood of a specific person being singled out is very small. The vast majority of people just don't fit their profile.

    Now, chew on this: the Russians and Chinese tap into undersea cables. They also have spy satellites. And they perform massive hacking attempts. Worry about them. Too.
  • Reply 36 of 72
    frantisek wrote: »
    all hackers are dangerous for society and every person. They can steal you money, credential, freedom and life. Every body has to make its oder what is for him most valuable. And none of hackers group is completely under control of any government. And governments are usually puppets.
    None? The Chinese and North Koreans both run well known hacking organizations as a part of their military. The Russians may as well. And, if they don't, they are widely suspected of contracting with the same. In case you are not aware of it, hacking is a part of the asymmetrical war being waged by governments everyday.
  • Reply 37 of 72
    docno42 wrote: »


    Sigh - the solution to this "problem" is simple - download Xcode only from Apple!

    The most basic tenant of computer security - know the chain and trust the source of the code you are running. People are downloading locally because Apple's servers tend to be slower - seriously?!? Slower than a 28.8 modem?

    Choosing convenience over security - and amazingly that causes problems. I love how people are jumping all over these weird philosophical discussions when the root issue is so incredibly stupid as well as EASY to solve. Don't be an idiot! Looks like the best thing Apple can do is put a caching server behind the great firewall if China will let them.

    This is a problem created entirely by the government of China and their warped internet policies. Whether it was an intended outcome or a happy by product, I would be shocked if they weren't pleased knowing it was at least possible.
    This assumes the app developer didn't know fully what they were doing.
  • Reply 38 of 72
    mstonemstone Posts: 11,510member

    Perhaps Apple should do the compiling with an online version of Xcode. Developers upload their raw source code so Apple can review it. With compiled executables it is not so easy to catch hidden functionality. I know developers don't want to release their source code but it is only with Apple which I think can be trusted.

  • Reply 39 of 72
    Good grief! I can't believe it's finally happened! Get ready for all the iOS doom articles.

    Of course it's important to remember that this is iOS's first real report of malware, and Android is at, like a billion. Not only that, but technically iOS is older than Android, and this is their first malware emergency! That makes them a billion times more secure than Andriod. Times 10.
  • Reply 40 of 72
    icoco3 wrote: »
    I assume they will just wipe it clean...
    What, with a cloth?

    [looks at Clinton]
Sign In or Register to comment.