Apple did not report many details when it confirmed the XcodeGhost malware that had infiltrated the iOS App Store. The company didn't disclose the specific iOS vulnerabilities exposed by the XcodeGhost malware and didn't indicate how its iPhone users were affected, but Palo Alto Networks security analyst Claude Xiao reported that XcodeGhost had been used to phish for iCloud passwords. Wired reported that Apple had removed over 300 apps contaminated with XcodeGhost. Recent developments indicate that this malware isn't limited to China, as reported earlier by TechCrunch, though evidence indicates that the malware originated there.
Though first considered benign like the Android Stagefright exploit, Xiao says it's more dangerous than it seems.
Based on the details in Palo Alto Networks' analysis, XcodeGhost can be used to create a prompt for the user's credentials or other sensitive information. This phishing exploit could convince a user to enter sensitive information as long as the dialog was consistent with the app.
URLs can be sent to the iOS device and opened. This isn't limited to HTTP and FTP URLs, but includes local URLs, such as itunes:// and twitter:// that iOS can be used for inter-app communications. For example, this could be used to force automatic phone calls to premium phone numbers, which can charge up to $1 per minute in some cases.
Some iOS password manager apps use the system clipboard to paste passwords into the login dialog. As another example, the XcodeGhost malware can read and write data in the user's clipboard, which would allow it to snatch a password.
How did it get to this point? Some bad hygiene on the part of some iOS developers who were tricked into downloading rogue versions of Apple's Xcode development distributed by the malware's creators. When the apps were built with this rogue Xcode version, the XcodeGhost malware was injected into the app. Professional developers demonstrated poor security principles, downloading tools from a source other than directly from Apple and failing to use Apple's MD5 hash to confirm the download's authenticity. Then, for some reason, Apple's lengthy app approval process did not identify the malware contained in these apps.
High-profile apps, like some older versions of Tencent's WeChat messaging app that Techinasia reports has more than a half billion users, were found to have been infected with XcodeGhost. Tencent posted a reassurance to its blog on Saturday, saying "a preliminary investigation into the flaw has revealed that there has been no theft and leakage of users' information or money, but the WeChat team will continue to closely monitor the situation."
How XcodeGhost evaded detection by Apple's App Store certification process may never be known, though it seems this kind of malicious code should have been detected by the code analysis scanners.