Zit Seng's Blog

A Singaporean's technology and lifestyle blog

Malware Afflicted Apps Hit iPhones and iPads

If you have or use an iPhone or iPad, this is important news. Apple’s iOS App Store has not been hacked per se, but numerous malware-afflicted apps have made their way into the store’s offering. The malware has made their way into apps which were created with a counterfeit version of Xcode, which developers use to create iOS (and OS X) apps.


The counterfeit version of Xcode is said to come from a server in China. Developers in China often turn to alternative sources or colleagues for large downloads, such as Xcode which weigh in at 3GB, because of slow Internet speeds from official download servers. The modified version of Xcode which have been acquired by otherwise legitimate developers implant code in apps which carry out surreptitious activities.

While many of the affected apps cater to the Chinese market, there are others which have some international impact. This includes the popular Angry Birds 2 and WeChat. A Chinese research firm believes that as many as 344 apps are affected.

Some identified apps include:

  • Angry Birds 2
  • CamCard
  • CamScanner
  • Card Safe
  • Didi Kuaidi
  • NetEase
  • OPlayer
  • PDFReader
  • The Kitchen
  • WinZip

Here’s another list published by Palo Alto Networks.

At this time, it is understood that the XcodeGhost malware collects the following system and app information, among others, and sends them to a command and control server:

  • Current time
  • Current infected app’s name
  • App’s bundle identifier
  • Device’s name and type
  • System’s language and country
  • Device UUID
  • Network type

Although the collected data does little to directly facilitate an attack, it is really only the beginning. The malware can also phish user credentials, hijack opening specific URLs which pave the way for other exploitation vectors, and read and write data in the user’s clipboard. The clipboard channel could be used by a password management tool to move passwords.

Apple has said to have removed the apps from the iOS App Store that are known to have been created with this counterfeit software, and they are further working with developers to ensure that they are using the official version of Xcode to rebuild their apps.

If you use an iOS device, you should immediately uninstall any infected iOS app, at least those listed here, or update to a newer version that has the malware removed. You should reset your iCloud password, and any passwords you’ve entered on your iOS device.

This is nastiest iOS breach to date, and it only underscores how malware have advanced and developed from the early days of PC viruses. It’s no more about crashing or slowing down computers, but more about stealing information or attacks with clear goals, ultimately for monetary gains and other more practical benefits.

Leave a Reply

Your email address will not be published. Required fields are marked *

View Comment Policy