The App Store is not as safe as we thought.
While Apple’s notoriously restrictive approach to apps has typically been thought to make malicious software on the platform next to impossible, security researchers recently identified dozens of apps containing malware in the App Store.
The malware, called XcodeGhost, was first publicized by security researchers at Palo Alto Networks, who discovered the infected apps. The exploit puts quite a bit of personal and device information at risk, including your Apple ID and iCloud password, the contents of your device’s clipboard and your device’s name, type and UUID (universally unique identifier).
The malware stems from a modified version of Xcode — that’s the set of software tools Apple provides to developers to create iOS apps — that contained malware. Though this was not the official version of Xcode provided by Apple (more on that later), the infected apps managed to make their way through Apple’s review process and into the App Store.
How bad is it?
While Palo Alto Networks’ Ryan Olson told Reuters they hadn’t found evidence the malware had been used to steal user information, the exploit is far reaching.
It’s hard to say exactly how many apps have been infected. Initially, Palo Alto Networks identified two infected apps but later increased that number to 39. The list included some of the most popular apps in China like WeChat, Angry Birds 2 (Rovio has said only the Chinese version was affected), Didi Chuxing (a Chinese ride hailing apps), Railway 12306 (the country’s official app for buying train tickets) and China Unicorn Mobile Office (made by one of the most popular carriers), according to the firm.
But though nearly all of the infected apps comes from Chinese developers,
the infected apps are not limited to the Chinese App Store
the infected apps are not limited to the Chinese App Store. Some apps like WeChat, SaveSnap and Camcard are also available — and widely used — in the U.S App Store.
The reality is the actual list of infected apps could be much higher. Tencent, the company behind WeChat, said in a reportSunday that it has identified 76 infected apps while China’s state-run broadcaster said the number could be as high as 350, according to a report in The Wall Street Journal.
How did this even happen?
The short answer is bad luck and developer laziness. It appears developers inadvertently infected their own apps when they downloaded a modified version of Xcode that included the malware. Xcode is large program that often takes a long time to download, Palo Alto Networks explained in a statement, which sometimes leads developers to turn to sources other than Apple.
In China (and in other places around the world), sometimes network speeds are very slow when downloading large files from Apple’s servers. As the standard Xcode installer is nearly 3GB, some Chinese developers choose to download the package from other sources or get copies from colleagues.
The security firm goes on to explain that when you search for “Xcode download” on Google, it returned results for several forums frequented by developers. Many of these download links direct back to files posted on the file sharing site Baidu Yunpan, which contained the infected versions of Xcode that app makers unwittingly downloaded.
What should I do now?
Given the popularity of some of the apps involved, hundreds of millions of users are thought to be affected by the exploit. And it’s still possible there are infected apps that have not yet been discovered. Apple says it has removed the infected apps, though some of those identified by Palo Alto Networks remain in the App Store and have yet to be updated. Apple did not immediately respond to Mashable’s request for comment on this.
If you have one of the infected apps (you can find a list here) you should delete it immediately (note that Tencent has already updated WeChat with a fix, so make sure you have the latest update, version 6.2.6.)
It’s also a good idea to change your iCloud password now, especially if you downloaded one of the apps in question. While you’re at it, you should consider turning on two-factor authenticationas well. That way, even if your Apple ID and password is compromised, an attacker will not be able to get into your account from another device.
It should go without saying, but, if you’re a developer, do not download Xcode from sources other than Apple. And if you have in the past, now would be the time to get the official versionfrom Apple.
Apple’s FoundationDB open sources the database layer behind CloudKitJanuary 25, 2019