How To Detect If Your iOS Or OS X Device Has Apps With XcodeGhost Malware

Last week, it was found that a malware called XcodeGhost had infected a number of apps on Apple's App Store in China. Considering Apple's stringent app vetting process has kept the App Store relatively safe in the past, this outbreak was particularly alarming. Popular apps including WeChat were infected, potentially affecting hundreds of millions of users not just in China, but globally. Here's how to detect if your iOS or OS X device is infected.

XcodeGhost is a particularly scary piece of malware as it got into the App Store through Apple's own developer tool kit, Xcode, specifically a compromised version downloaded from an unofficial source. While the apps that are infected originated in China, some of them are available from App Stores in other countries. For example, parents and their friends are avid users of WeChat, which is one of the apps affected.

If you are worried you might be affected, Palo Alto Networks has the following suggestions:

  • Install Pangu Team's app to defect XcodeGhost infected apps on your iOS device You can download the app at the Pangu Team website. If you do find an infected app, delete it. You can re-install it once the developer releases an updated version that's free of XcodeGhost.

  • Add two-step verification for you Apple ID To help mitigate against potential attacks or exploitation.

  • Avoid using untrusted WiFi networks. Same reason as above.

As for iOS and OS X developers:

  • Don't be stupid and only download official development tools from official websites The reason why this mess happened was because the Great Firewall of China was making the download of Xcode unbearably slow so developers decided to source the tools elsewhere through unofficial means. Just don't do it. It's not worth it.

  • Set Gatekeeper protection level to default value on Mac computers used for the app development process You can do this by going to System Preferences, Security & Privacy, and set only allowing apps downloaded from "Mac App Store and identified developers.”

  • Check integrity of development tools and libraries before releasing apps and updates You can do this through the 'codesign' utility or by hash values checking.

Apple has worked to fix this problem and has sent emails to the developers that have released XcodeGhost infected apps to guide them through how to clean their apps up.

Apple also sent an email to affected developers, guiding them to recompile their products by official Xcode, and to re-submit again. Apple has acknowledged XcodeGhost as malware and that it has affected the App Store.

[Via Palo Alto Networks Research Center]


Comments

    Ummmm "Install Pangu Team’s app to defect XcodeGhost infected apps on your iOS device"

    Takes you to a page in Chinese. With no English explanation as to what the process is. Im not sure I really want to install anything given the nature of this malware.

    Is there an official Apple method to detect the malware as yet?

      As far as I know, Apple hasn't released any tool to do so just yet. The Pangu app is the one recommended by Palo Alto Networks, a vendor which has been looking into the issue.

      Will keep you posted if there are any updates!

        Thanks for the reply and thanks for keeping us updated.

        Last edited 22/09/15 3:31 pm

        Pangu Team is apparently responsible for an iPhone Jailbreak method, and there are some sites that mention they may be a security concern. http://www.tomsguide.com/us/pangu-jailbreak-iphone-risks,news-19068.html

        Im not sure if the concerns are warranted, but this may be a case of out of the frying pan and into the fire, so I would be very careful with recommending this method of detection.

        You do realise Palo Alto Networks have been around for many many many years. I think they know what they're on about.

    To add insult to injury, the link leads to "http : //www.lifehacker.com.au/2015/09/how-to-detect-if-your-ios-or-os-x-device-has-malware-infected-apps/Apple%20also%20sent%20an%20email%20to%20affected%20developers,%20guiding%20them%20to%20recompile%20their%20products%20by%20official%20Xcode,%20and%20to%20re-submit%20again.%20Apple%20has%20acknowledged%20XcodeGhost%20as%20malware%20and%20that%20it%20has%20affected%20the%20App%20Store."

    Thanks Spandas,

    But ... this article is click-bait. The title said how to detect apps but it wasn't covered in the article.

    Here are some recommended links,
    - What is XCodeGhost?
    http://www.macrumors.com/2015/09/20/xcodeghost-chinese-malware-faq/

    - For Developers (mainly for Chinese developers)
    http://www.macrumors.com/2015/09/22/apple-xcode-validation-steps/

    - Apple's response on XCodeGhost
    http://www.macrumors.com/2015/09/22/apple-xcode-validation-steps/

    One of the more popular apps that was impacted is Mercury Browser. It's been very popular because it included (until recently) adblocking. ADBlocking has now become a subscription option. If you are using Mercury Browser, you may want to stop using it and temporarily change to Dolphin (which is free and includes ADBlocking), or follow the advice from LifeHacker
    http://www.lifehacker.com.au/tags/mobile-browsers/

    As someone who uses Mercury, this article was not particularly helpful. It was disappointing to see that Mercury was left off the list in the linked article from LifeHacker.

      Hi Dan,

      Thank you for your comment!

      As mentioned in the article, the recommendations are based on those given by Palo Alto Networks. Understand there are other resources that you can refer to when dealing with Xcode. It's just the article was based on the Palo Alto blog post (linked at the bottom).

      Sorry you feel that way about the article. I'll definitely keep your feedback in mind when it comes to future articles ^_^.

      Cheers,

      Spandas

        The link "[Via Palo Alto Networks Research Center]" doesn't go to that.

        This would all make a lot more sense if the Palo Alto article was linked fully and early on in your post. If the content is not your own, it needs to be referenced, not just 'recommended by Palo Alto Networks'.

          Hi there,

          Actually, I screwed up the HTML on the link, which was why the link didn't go anywhere. I've fixed it now. Sorry about all this!

          Cheers,

          Spandas

Join the discussion!

Trending Stories Right Now