XCode Malware Spreads Through Apple Application Store
XcodeGhost is the first code compiler malware to affect Apple's application store's infrastructure. The malicious code is located in the Mach-O object file that was packaged with some versions of the Xcode installer.
What is Xcode?
Xcode is an integrated development environment (IDE) containing development tools developed by apple for use by Apple and third party developers to build applications for OS X and iOS. Xcode is downloaded directly from Apple at no charge to people who want to write applications for the store. Due to bandwidth and convenience, some developers will download the toolkit from file sharing sites like Baidu Yunnan which hosted code that had a few extra lines of code than the same version downloaded from the actual Apple store.
So, how did this happen?
Its quite brilliant of the attackers to think of maliciously infecting the development toolkits that are being used to build the applications for the Apple app store. Using the Mach-O file layout, they can utilize the multi-architecture binaries that allow the application file to launch multiple programs in the background while installing the primary application. This gives an attacker several options of malicious code that can accompany your intended application for your iOS device. Although this attack seemed to be focused in Asia, this same type of attack vector can be used throughout other app stores. This could lead to dozens of applications being developed by trusted developers that have malicious code installed and distributed in all their packages that they build on the Xcode tool base.
Interesting that they used domains like these as part of their command and control (C&C) infrastructure:
This makes you think that, besides the actual malicious code loaded on the devices, they had to conduct some type of DNS high jacking or use local IP tables that redirected the traffic to the actual malicious IP addresses under the above domains. That is based on the thought that Apple does uses the above domains to fulfill services they offer. According to the researchers at Palo Alto Networks that wrote the initial report, there are currently about 39 applications available on the Chinese Apple application stores that are deemed malicious. So far, I have not heard of any detected malicious apps in the US or EU instances of the application store.