About 100 million Chinese iPhone users were attacked; it never occurred to them that their IOS devices can be victims to mass infections like Android mobiles. Last Wednesday paloalto publicized its first analysis report on this issue, followed by Alibaba mobile security, who named the malware as XcodeGhost.
How XcodeGhost works
As the first compiler malware in OS X, the malicious code was in the disguise of Xcode installer between version 6.1 and 6.4 (6.1.1, 6.2, 6.3, 6.3.1, 6.3.2 included), locating in a Mach-O object file. After uploaded to Baidu’s cloud file sharing service, these installers were downloaded for developing iOS or OS X apps by some developers in China. XcodeGhost infected 76 iOS apps created by infected developers, which were published in the official App Store and regarded as secure apps.
iOS apps infected by XcodeGhost will automatically collect information on the devices and upload it to command and control (C2) servers. The malware has exposed a very interesting attack vector, targeting the compilers used to create legitimate Apps. This technique could also be adopted to attack enterprise iOS apps or OS X apps in much more dangerous ways.
This unofficial downloading source is popular in China because of the slow downloading speed for large files from Apple’s servers, while the standard Xcode installer is about 3GB, making some Chinese developers choose to download the package from Baidu’s cloud file sharing service.
Although XcodeGhost makes the first mass infection of apps in official Apple Store, it was not that much malicious and dangerous to other iOS malware, which can explain why the code has escaped App Store code review. On the other hand, this issue disposed a fact that attacks on IOS system can be realized by just an OS X malware with a malicious object file in the Xcode directory, which is alarming. After all, this modified XcodeGhost is a compiler malware, and this is the first mass attack targeting the iOS devices, even of the original devices without jailbreaking.
Among the 76 infected apps, WeChat catches the eye of all the ios users. This app is also popular among users in other countries besides China. What makes it more serious is its payment function, which is mainly for money transfer and social interaction of sending “red packet”. At present, WeChat version 6.2.5 was proved to be infected, and the official notice made a promise to develop a new secure version in the later few days to get rid of the influence of the XcodeGhost. Users need to replace this old version with the newest one.
What we need to pay attention to is the authority of the Trojan virus. This is what the XcodeGhost can do after infecting 76 apps and influencing more than 344 apps (this figure is reported by Qihoo 360.Inc). Many phishing websites will appear on your iOS devices to get your important personal information, such as credit card information, and iCloud account and password.
What remedies are available for the iOS crowd?
At present, most remedies and betterment brought up are for the developers. As for consumers, suggestions are offered as the following.
1. For devices already done jailbreak before, many anti-virus apps and programs now update the virus database to detect and dispose the Trojan virus. Users can use these tools to examine the iOS devices and uninstall the infected apps for the newest secure version. For users of non-jailbreaking devices, before installing new version of the apps, all the apps needs to stay quiet for security concern.
2. For all users, the most important thing is to change the entire password for all the accounts used in your iOS devices. Be cautious to input any password when required by any app on your phone.
When you uninstall some infected apps or delete some files by mistake in the process of dealing with the XcodeGhost influence, you may encounter some difficulty in data recovery. If this happens, iMyfone D-Back or iMyfone D-Back for Mac can be used for all iOS devices) can help you restore the data. Only three steps will make you recover the data with ease.
Step 1 Select the most suitable recovery mode and file types
iMyfone D-Back offer four recovery modes: Smart Recovery, Recovery from iOS, Recover from iTunes and Recover from iCloud. You can select the most suitable mode and start the recovery process.
Step 2 Scan for the lost iPhone files
The program will scan from iOS iPhone, iTunes/iCloud backups for the lost files according to the files types you selected, and the whole process will last a few minutes.
Step 3 Preview and Recover the iPhone Lost Data
All the files you choose can be preview on the right side as listed. After checking on the box, please click on the “Recover” button for recovery, with selecting the storage path to finish the whole process.