Malware

Apple lists top 25 apps infected by XcodeGhost

Christian Zibreg ∙ Updated May 18, 2017

Apple today refreshed its official XcodeGhost FAQ webpage, listing the top 25 iPhone and iPad apps on the App Store that contain the widely reported though mostly harmless XcodeGhost malware.

In addition to WeChat, one of the top messaging apps in the world, Rovio's Angry Birds 2 and China Unicom’s Customer Service app, most of the listed apps are distributed on the Chinese App Store only.

“If users have one of these apps, they should update the affected app which will fix the issue on the user’s device,” writes the company. “If the app is available on App Store, it has been updated, if it isn’t available it should be updated very soon.”

Apple has pulled many of the infected apps and said it's working closely with developers to get impacted apps back on the App Store.

Apple to offer local Xcode downloads in China, posts official XcodeGhost malware FAQ

Christian Zibreg ∙ September 23, 2015

The XcodeGhost malware couldn't have arrived at worst time for Apple as the company prepares to launch its iPhone 6s and iPhone 6s Plus tomorrow. The company has already removed the App Store apps infected by the malware, which has been found to inject its payload into apps compiled with compromised copies of Xcode that were distributed on non-Apple servers in China.

Wednesday, the Cupertino firm has confirmed plans to mitigate the threat by hosting local Xcode downloads within China. In addition, Apple has posted an XcodeGhost FAQ webpage on its Chinese website detailing the XcodeGhost malware and how customers might be affected by it.

Apple educates developers on validating Xcode downloads following XcodeGhost malware attack

Christian Zibreg ∙ September 22, 2015

A new type of attack called XcodeGhost is wreaking something of a mini-havoc in the App Store, injecting its malware payload into popular iPhone and iPad apps and prompting Apple to pull the infected apps.

The malware itself is pretty harmful—it collects and sends information about your device—but the method of spreading is cunning. Rather than target the App Store itself, attackers have distributed hacked versions of Xcode, Apple's tool required for iOS and OS X development.

As Xcode is a multi-gigabyte download, developers in countries like China where Internet speeds are slow have downloaded these modified Xcode builds from non-Apple sources without realizing a hacked Xcode injects malware when compiling apps.

This morning, Apple issued an email to developers providing an update on the XcodeGhost situation while laying out easy-to-follow instructions for checking if their Xcode copy has been tampered with.

XcodeGhost: a new malware infecting many popular iOS apps

Christian Zibreg ∙ September 19, 2015

A few dozen iPhone and iPad applications, most of them developed for China, have been infected with XcodeGhost, a malware that collects information on the devices and uploads that data to remote servers.

Among them is WeChat, one of the most popular instant messaging applications in the world.

Rather than exploit an iOS vulnerability, the malware in question sneaks its way into apps indirectly, by targeting Apple's official compilers used to create legitimate apps. The malware was found to inject its malicious code into a Mach-O object file that was repackaged into some versions of Xcode, Apple’s official tool for developing iOS and OS X apps.

These Trojanized Xcode installers were then uploaded to Baidu’s cloud file sharing service used by Chinese app developers, explains Palo Alto Networks. The malicious code then inserts itself into any iOS app compiled with the infected Xcode without the developers’ knowledge.

It's not Apple's fault, really: this would have never happened had these developers downloaded Xcode files directly from Apple. Baidu has since removed all of the infected files from its servers and some of the infected apps have since removed the malware code in their latest builds.

Apple reportedly doing away with antivirus apps in the App Store

Cody Lee ∙ March 19, 2015

Apple has decided to eliminate the category of anti-virus and anti-malware products from the App Store, according to security firm Intego. The company announced this week that Apple informed them of their decision after pulling their app 'VirusBarrier for iOS.'

"To be clear, this wasn’t an action directed specifically at Intego, we were one of several companies affected by Apple's decision," writes Intego's Jeff Erwin. Erwin adds that users will continue to get virus definition updates, but there will be no more updates to the app.

Chinese authorities shut down WireLurker site, suspects arrested

Cody Lee ∙ Updated April 18, 2018

Chinese authorities arrested three individuals last Friday that are believed to have developed the "WireLurker" malware, according to a police post on Sina Weibo. The authorities were tipped off by Chinese security company Qihoo 360 technology. Additionally, the post says that authorities have also identified and shut down the website that was hosting and distributing the malware.

US government warns iOS users about new ‘Masque Attack’ threat

Cody Lee ∙ November 13, 2014

The United States government issued a warning for iPhone and iPad users today regarding the recently-discovered 'Masque Attack' vulnerability, reports Reuters. The security flaw, which began circulating the web earlier this week, allows malicious third-party apps to be installed to a device using enterprise provision profiles.

Today's bulletin was issued by the National Cybersecurity and Communications Integration Center, and it warns users of how Masque Attack can spread and what it's capable of doing. The malware installs itself through a phishing link disguised as a new app or game, and then it can masquerade as a well-known app like Gmail.

Apple now blocking apps infected with WireLurker malware

Cody Lee ∙ Updated April 18, 2018

Apple released a statement today saying that it is aware of the newly discovered WireLurker malware that targets Macs and iOS devices, and it has taken action. "We’ve blocked the identified apps to prevent them from launching," a spokesman for the company told the Wall Street Journal.

Yesterday security researchers at Palo Alto Networks published a report saying they had discovered a new malware targeting Macs and iOS that is the “biggest in scale” it has ever seen. They named the malware "WireLurker" for its ability to jump from infected Macs to iOS devices over USB.

New malware ‘WireLurker’ found infecting Macs and iOS devices in China

Cody Lee ∙ November 5, 2014

Security researchers at Palo Alto Networks say they've uncovered a new malware campaign targeting Macs and iOS that is the "biggest in scale" it has ever seen. Dubbed WireLurker, the malware has infected more than 400 apps in the Maiyadi App Store, a third-party Mac app store in China.

In the last six months, researchers say 467 infected applications have been downloaded 356,104 times, and “may have impacted hundreds of thousands of users.” The scary part is, the malware can be transmitted to a connected iOS device via USB, regardless of whether or not it's jailbroken.

‘AppBuyer’ malware steals Apple IDs and passwords from jailbroken devices

Cody Lee ∙ Updated April 18, 2018

Security research firm Palo Alto Networks reported this weekend about a new iOS malware that's affecting jailbroken devices. It's called 'AppBuyer,' and it's programmed to steal a user's Apple ID and password for the purpose of purchasing apps from the App Store.

It's not clear exactly how AppBuyer is being installed, but the group says it could be done a number of ways including through a malicious Cydia Substrate tweak or PC jailbreaking utility. Those infected complain of random apps periodically popping up on their devices.

AdThief malware found infecting 75,000 jailbroken devices

Sébastien Page ∙ August 15, 2014

Security researcher Axelle Apvrille recently published a paper about AdThief, a malware aimed at hijacking ad revenue from a reportedly 75,000 infected devices. First discovered in March 2014, and also known as "spad," the malware, which comes disguised as a Cydia Substrate extension, was found to replace the publisher ID of publishers with the one of the malware creator, effectively attributing all ad revenue to him.

Watchout for Unflod, a malware targeting jailbroken devices

Sébastien Page ∙ April 18, 2014

We often praise iOS as a very secure platform, and this is mostly true, as many studies have confirmed over the years. But sometimes, it's not so much the platform that is responsible for the lack of security, it is the user himself.

The perfect illustration of this is when you jailbreak your device. By gaining root access to your iPhone or iPad, you start walking outside of Apple's walled garden and actually put yourself at risk of having untrusted files installed on your device without your knowledge.

As a jailbreaker myself, I am very well aware of the risks, but I do not mind them because the benefits usually far outweigh the drawbacks, and I assume most jailbreak users feel the same.

This being said, a new malware called Unflod has been targeting jailbroken devices for a few weeks. While there is still a lot we don't know about Unflod, the little information we have about it is enough to raise concerns...