Last week, it was found that a malware called XcodeGhost had infected a number of apps on Apple's App Store in China. Considering Apple's stringent app vetting process has kept the App Store relatively safe in the past, this outbreak was particularly alarming. Popular apps including WeChat were infected, potentially affecting hundreds of millions of users not just in China, but globally. Here's how to detect if your iOS or OS X device is infected.
XcodeGhost is a particularly scary piece of malware as it got into the App Store through Apple's own developer tool kit, Xcode, specifically a compromised version downloaded from an unofficial source. While the apps that are infected originated in China, some of them are available from App Stores in other countries. For example, parents and their friends are avid users of WeChat, which is one of the apps affected.
If you are worried you might be affected, Palo Alto Networks has the following suggestions:
- Install Pangu Team's app to defect XcodeGhost infected apps on your iOS device You can download the app at the Pangu Team website. If you do find an infected app, delete it. You can re-install it once the developer releases an updated version that's free of XcodeGhost.
- Add two-step verification for you Apple ID To help mitigate against potential attacks or exploitation.
- Avoid using untrusted WiFi networks. Same reason as above.
As for iOS and OS X developers:
- Don't be stupid and only download official development tools from official websites The reason why this mess happened was because the Great Firewall of China was making the download of Xcode unbearably slow so developers decided to source the tools elsewhere through unofficial means. Just don't do it. It's not worth it.
- Set Gatekeeper protection level to default value on Mac computers used for the app development process You can do this by going to System Preferences, Security & Privacy, and set only allowing apps downloaded from "Mac App Store and identified developers.”
- Check integrity of development tools and libraries before releasing apps and updates You can do this through the 'codesign' utility or by hash values checking.
Apple has worked to fix this problem and has sent emails to the developers that have released XcodeGhost infected apps to guide them through how to clean their apps up.
Apple also sent an email to affected developers, guiding them to recompile their products by official Xcode, and to re-submit again. Apple has acknowledged XcodeGhost as malware and that it has affected the App Store.