Picking up where Palo Alto Networks left off, cyber security firm Fox-IT has just rounded up more iOS apps believed to be carrying the lethal XcodeGhost malware.
At first it appeared that the outbreak of XcodeGhost was limited to China, but now it seems the malware has a much wider reach.
Fox-IT ran Palo Alto Networks' list of suspected domain names through its own systems and logged the following apps into a list that contained CamCard, CamScanner, Lifesmart 1.0.44, OPlayer 2.1.05 and SegmentFault 2.8:
AmHexinForPad • air2 • baba • BiaoQingBao • CSMBP-AppStore • CamCard • CamScanner Lite • CamScanner Pro • ChinaUnicom3.x • CuteCUT • DataMonitor • FlappyCircle • Guitar Master • golfsense • golfsensehd • guaji_gangtai en • iOBD2 • iVMS-4500 • immtdchs • installer • IHexin • InstaFollower • jin • MSL070 • MSL108 • Mercury • MobileTicket • MoreLikers2 • Musical.ly • nice dev • OPlayer • OPlayer Lite • PDFReader • PDFReader Free • Perfect365 • PocketScanner • QYER • Quick Save • SaveSnap • snapgrab copy • SuperJewelsQuest2 • TinyDeal.com • Ting • Wallpapers10000 • WeChat • WeLoop • WhiteTile • WinZip • WinZip Sector • WinZip Standard
Palo Alto Networks announced last week that confirmed cases of what many iPhone and iPad users still believe to be rare: there are strains of malware that can bring iOS devices to their knees. XcodeGhost can also infect OS X devices, and Palo Alto Networks says the malware is the programming language translator, a "compiler," with the ability to do so.
Once the XcodeGhost malware finds a suitable iOS host, it contacts the hive for instructions on how to proceed. The command and control server returns encrypted directions back to the malware, according to Palo Alto Networks' Ryan Olson, director of intelligence for the firm's Unit 42 research group.
The marching orders the command and control server gives XcodeGhost contains several commands, and one of those includes instructions on sending an alert to the owner of the infected device.
"We have evidence that this was used to 'phish' iCloud credentials from users of infected apps," Olson said. "The response can also contain a URL, which the app will then open. We don't know how this is being used, but it could be used to send other apps on the phone to potentially malicious resources."