back to article Apple cleans up iOS App Store after first big malware attack

Apple is cleaning up its official iOS App Store after the first large-scale attack on its walled garden mobile software site. The Xcode development tools used by iOS app makers was copied, modified, and distributed online, by hackers to inject malicious code into apps available on the App Store, as previously reported. Palo …

  1. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: gov't interference with the internet contributed to this problem

      I would not be so sure about snooping.

      China ISP peering policy and specifically China big SP attempt to make any peering become a form of reciprocal paid transit (very popular with some Eu incumbents by the way), narrow transpacific bandwidth are more likely culprits. Apple (same as most USA cloud companies) is not budging to the extortion, so speeds to it from China remain hideously slow.

      So it is more of a case results of "severe telecommitis" as seen in the ITU working group on peering than government interference.

    2. Anonymous Coward
      Anonymous Coward

      Re: gov't interference with the internet contributed to this problem

      Sorry, being lazy and/or impatient is not a good excuse. I would never download anything critical but from officially sanctioned sources, even if it's slow. I'll wait. Download managers are built for that.

      I guess in China are used to "alternative" sources for software not because of speed, but because of other, more illegal, needs...

    3. RealFred

      Re: gov't interference with the internet contributed to this problem

      The Guardian, that bastion of free thinking and non political comment. Good grief, who would belive anything they say

      1. Hans 1

        Re: gov't interference with the internet contributed to this problem

        You can say that about any other paper in UK and you are probably right, however, I think the Guardian has quite a good track record, not perfect, but there you go. What do you read, daily mail, telegraph or sun, maybe ?

    4. anonymous boring coward Silver badge

      Re: gov't interference with the internet contributed to this problem

      Not really. Apple could have, and should have, made available official checksums of their downloadable applications. But it's probably too low tech for them.

  2. Anonymous Coward
    Anonymous Coward

    I read, "We can't monitor wechat so we'll make it insecure in the eyes of the gullible"

    My tin foil hat is quite cosy right now.

    Edit: Sorry I need to explain, wechat is a massive chat program (massive in the sense of users) now do I believe that there was only one dev who happened to download this dodgy version of Xcode and that the dev was really that dumb to download from a non-official source? Sorry I'm just struggling to believe this.

  3. Joerg

    Clearly competitors are behind this criminal act

    Fake XCode installers with illegal authorization keys that someone inside Apple must have authorized to make them work.

    And the ability for these illegal keys to bypass all Apple security measures both automatic binary code checking, API calls and then even any manual review of the apps inside Apple...

    It clearly is beyond just fishy. Someone paid people inside Apple to do these criminal acts.

    And competitors are the only ones getting something out of it trying to damage Apple.

    1. Quando

      Re: Clearly competitors are behind this criminal act

      There's no auth key needed to install XCode. Developers would have used legit publishing keys *inside their project file* that they got from Apple as normal. It is just the size of the XCode download at over 4GB that was causing the developers to look for alternative sources.

      As long as the malware didn't use any private API calls it would get past App Store review - and accessing the clipboard, throwing alerts etc is all OK.

  4. Anonymous Coward
    Anonymous Coward

    What it means is: either Apple do not vet applications at all; or they vet applications by looking at the source code submitted by the developer, but then trust that the binary submitted by the developer does actually match the source. Really??

    If so, this means it's trivial to circumvent the app store policies - just submit an innocent app together with a malicious binary which (on the surface) does the same thing.

    Of course, if you are an unknown developer submitting your first app then you may be subject to more intense scrutiny. So it was very clever to do this by infecting the Xcode of a well-established developer, so they can act as your proxy.

    1. Quando

      No source code is submitted - just the binary package of app + resources, and a symbol/map file. All the system frameworks are called dynamically so they can scan the app to see what it calls to, and the biggest problem is false-positives if you use a method name in your own code that matches a private API: it flags you up.

      But beyond an automated scan they don't do much - certainly not launch it on each device it is supposed to run on as there have been enough apps released that crash immediately on certain device types due to a lack of testing.

  5. asdf


    I hope Apple lifetime banned all accounts that posted any apps with this malware regardless of who fault it is. All signing keys (if used) should be black flagged as well. Of course being a western corporation and a total whore to the China market means probably no such thing happened.

  6. Anonymous Coward

    Those cheeky PLA chappies!

    Slam-dunk for PLA Unit 61398, have a Tsingtao brewski

    1. Anonymous Coward
      Anonymous Coward

      Re: Those cheeky PLA chappies!

      CIA actually:

  7. anonymous boring coward Silver badge

    Technically a sophisticated attack -modifying Xcode itself.

    However, the developers picking up Xcode from unknown sources -not so impressive!

    That's not far from tricking auntie to click on that exe attachement.

  8. Anonymous Coward
    Anonymous Coward

    Looks like Apple will have to build in some way of authenticating Xcode.

    I wonder if this Malware could be Chinese intelligence agency spyware?

    I've just discovered one infected app WinZio which I've now deleted.

    What's worrying is my 2 factor security is based on an app on my iPhone Google Authenticator and Apple push notifications for iCloud.

    If someone can sniff those push notifications they've access to iCloud and possibly iCloud Keychain...


  9. ingie

    This just in...

    ...i just got this in my dev mail box from apple:

    "We recently removed apps from the App Store that were built with a counterfeit version of Xcode which had the potential to cause harm to customers."

    ... there's a certain degree of semantic ambiguity there that amuses me.

  10. AndyDent

    Outright lies about behaviour?

    The readme on the github repo says that the app doesn't do anything malicious or collect private behaviour.

    If all it did was act as an unwitting analytics package, then this is both true and a reason why it would have been incredibly difficult for Apple to detect its actions - analytics packages send data to servers all the time in legit apps.

    However, I'm wondering if the developer has published a "sanitised" version of the XCodeGhost source to try to avoid probllems - without the reported fake iCloud password dialog?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like