New Version Of XcodeGhost Malware Designed To Attack iOS 9 And Remain Undetected

Aaron Mamiit, Tech Times 04 November 2015, 09:11 am

In September, Apple's App Store suffered a large-scale security breach for the first time, as some of the most popular Chinese-developed apps were found to have malicious software embedded in them.

Named the Xcodeghost, the malware was able to infiltrate the affected apps as Chinese developers were fooled into utilizing compromised versions of Xcode, Apple's developer tool kit. The affected apps were able to transmit data about the device of the users, showed fake alerts that could steal passwords on Apple's iCloud service and gain access to the user's clipboard. The Xcodeghost could also access websites that could allow more viruses to infect the device.

Apple said that it has removed the infected apps from the App Store and reached out to the Chinese-based developers to ensure that they were using proper versions of Xcode. However, it seems that the XcodeGhost is still alive, according to cybersecurity firm FireEye.

A new version of the XcodeGhost, which was named by FireEye as the XcodeGhost S, was discovered as an updated version to support Xcode 7 and iOS 9. XcodeGhost S also includes a new mechanism which allows it to avoid being detected.

More specifically, the upgraded XcodeGhost S can now avoid limitations for HTTPS communications, which became required in iOS 9 and prevented the command and control server transmissions of XcodeGhost from working properly.

To avoid being detected by security tools, XcodeGhost S masks its C&C server through a novel method. Instead of having the location of the server hardcoded, the malware is now assembling the URL of the server per character.

FireEye, through the continuous monitoring of the networks of its customers, has also found that the malware has infiltrated U.S. companies as a persistent security threat, with the cybersecurity firm observing 210 companies with applications that are infected by the XcodeGhost.

The malware generated over 28,000 attempts to connect to its C&C servers over a period of four weeks, with the top two countries that XcodeGhost attempting to call back being Germany and the United States.

FireEye also revealed that while infections of the XcodeGhost cover a wide range of industries, the top industry affected by the malware is the education sector.