Security firm FireEye said in a blog post that XcodeGhost – a fake version of Xcode that injected malware into genuine apps – remains a threat. FireEye has identified a more advanced version of the compromised app development tool, XcodeGhost S, which has been designed to infect iOS 9 apps and allow compromised apps to escape detection by Apple.
XcodeGhost is planted in different versions of Xcode, including Xcode 7 (released for iOS 9 development). In the latest version, which we call XcodeGhost S, features have been added to infect iOS 9 and bypass static detection.
We have worked with Apple to have all XcodeGhost and XcodeGhost samples we have detected removed from the App Store.
The company said that by monitoring its customers’ networks, it identified 210 enterprises with infected apps running inside their networks – a third of them in the USA – generating 28,000 attempts to connect to the XcodeGhost Command and Control (CnC) servers …
It notes that the servers are not currently under control by those behind XcodeGhost, but they are potentially vulnerable to hijacking attempts. Some enterprises have modified their domain name servers to block traffic to the CnC servers, but this does not necessarily protect devices when used outside the corporate networks.
The blog entry describes how XcodeGhost was able to circumvent the protection Apple introduced in iOS 9.
Apple introduced the “NSAppTransportSecurity” approach for iOS 9 to improve client-server connection security. By default, only secure connections (https with specific ciphers) are allowed on iOS 9. Due to this limitation, previous versions of XcodeGhost would fail to connect with the CnC server by using http. However, Apple also allows developers to add exceptions (“NSAllowsArbitraryLoads”) in the app’s Info.plist to allow http connection. The XcodeGhost S sample reads the setting of “NSAllowsArbitraryLoads” under the “NSAppTransportSecurity” entry in the app’s Info.plist and picks different CnC servers (http/https) based on this setting.
Earlier this year, a separate vulnerability was discovered that left some apps at risk when attempting to establish secure connections to servers.