In September, a malware called XcodeGhost was found to have infected a number of apps on Apple's App Store in China, including popular ones that are used internationally such as WeChat. Apple reacted quickly to mitigate the issue but XcodeGhost has resurfaced and has even been found running on iOS 9 devices in enterprise environments.
Security vendor FireEye has released research showing that in the last four weeks XcodeGhost infected applications have been running on 210 enterprise networks, including those in the US. Collectively, these apps have generating more than 28,000 attempts to connect to the malware's command and control (CnC) servers.
While attackers may not be controlling the CnC servers, it's possible to hijack the traffic to distribute apps to iOS devices outside the App Store, force browsers to open URLs, aggressively promote any app in the App Store by automatically directing iOS users to a download page and launch pop-up phishing windows. These scenarios have all been demonstrated by FireEye researchers.
FireEye has noted that it has found XcodeGhost active on phones running variations of iOS versions 6 to 9. While a number of app makers that were affected did release newer XcodeGhost-free versions of their apps, there are still many users that have yet to update to them. This has given XcodeGhost a second wind.
According to FireEye:
Some enterprises have taken steps to block the XcodeGhost DNS query within their network to cut off the communication between employees' iPhones and the attackers’ CnC servers to protect them from being hijacked. However, until these employees update their devices and apps, they are still vulnerable to potential hijacking of the XcodeGhost CnC traffic - particularly when outside their corporate networks.
With so many devices being found to carry XcodeGhost in such a short period of time, especially in US enterprises, FireEye believes the malware is an ongoing threat to organisations. A new variant of XcodeGhost, dubbed XcodeGhost S, is particularly nasty with new tools that specifically target iOS 9 and is able to bypass the new OS's Application Transport Security (ATS) feature, Apple's latest weapon against malware on its mobile devices.
You can find out more details on the specific research done by FireEye over on the vendor's blog.
[Via FireEye Blog]