(Source: Paramount Pictures)
Tens, if not hundreds of thousands of non-jailbroken devices are believed infected after a Trojan compiler malware struck in China

Apple, Inc.'s (AAPL) faithful tend to be under the false impression that their mobile platform of choice is immune to security risks as long as they play by Apple's rules.  Perhaps their most successful effort to date was spotted in the wild by Palo Alto Networks Inc. (PANW) this week.  The breach affects users with non-jailbroken iPhones.  And most unusual, it involved tricking developers and Apple itself into unwittingly infecting the masses.

I. History vs. Present Reality

Before I begin, I want to say simply to a special few -- I told you so.  Take "Nortel" who last month as busy blasting my piece on Apple KeyRaider malware.  He wrote:

If you use your iPhone as intended you are at no risk. If you Jailbreak your phone, defeating Apples security intentionally, you open yourself up to security issues. How is this in anyway comparitive to Android, where right out of the box it is insecure.

Clearly to all but the most delusional the new attack illustrates such notions are outdated and no longer hold true.  But to be fair I'll be the first to note that there is a bit of a historic truth in such arguments.  In many ways I can understand such comments as for a time mobile malware was largely hypothetical and to some degree overstated by us media folks.

android malware
[Image Source: Android Authority]

And even when it had become apparent that mobile malware was indeed quite real, it was observed that most of it was affecting Android, not iOS.  While Android U.S. userbase was largely secure, in certain markets like China Android has seen a growing volume of malware in recent years.  It was Android who first saw mass infections of hundreds of thousands of users.

You could say Android's security struggles have been quite analogous to those of Windows over the years.  It's hard being a (relatively) open platform and it's hard to be the provider of the world's most used operating system.  You're definitely a mark, favorable as such a position may otherwise be.

For years the truth has been that iOS was relatively safe, thanks largely to its policy of tight control.  Yes, part of it was Apple's low market share.  But even as Apple has gained significant share in many markets, it's managed to largely avoid mobile malware.  Its walled garden was and aggressive policing of the App Store -- oft villainized as overreaching -- were admittedly key factors in Apple's ability to stay secure.

Apple walled garden
Apple's walled garden kept its users safe, even if the restrictions frustrated some.
[Image Source: Scoopertino]

And while malware targeting Apple's mobile devices began to crop up around 2011, it is also true that it was largely only was a threat to users who jailbreak (and a pretty weak threat at times, at that).  Remember that while I regularly noted the existence of threats in iOS, at the time I also was unafraid to note that at an ecosystem level Apple was doing a more effective job protecting its usersas such at the time as  (see my piece: "Apple is Giving Android a Beatdown in Malware Prevention", for instance).  I'm a realist, after all, not a favoritist.

In the past we've seen that most of the relatively rare instances of iOS and Mac OS X malware that wasn't aimed at jailbroken devices, employed Trojan tactics, which masqueraded as popular apps.  Such a distinction was reassuring, assuredly.  Even when more than half a million Macs were compromised one could always assert that the attacks admittedly involved a degree of naievete on the victim's part.

The reality is that many regards Apple users' faith in their platform's security was no mere fantasy.  It was the real deal.  But the thing about reality, admittedly, is that sometimes it can be cruel.  It can shift.  And that may be understandably hard to accept for us humans.  But failing to do accept reality will not change it.

iOS users should be aware that there is strong evidence that there platform's once inpenetrable walls are cracking and crumbling.  Case and point: mobile malware is now beginning to creep into Apple's official App Store.  And it's not just one app.  It is dozens.

iOS threats
A timeline depicts the history of iOS malware, prior to the recent discovery. [Image Source: Trend Micro]

The shift has come largely due to the increasing savvy of profit-driven mobile hackers.  Likewise recent leaks have revealed it is equally driven by spying nation states like China and U.S. who wish to spy on both their own citizens and foreigners alike.  For the nation-state attacker, as more and more communication shifted from landline phones and the PC to mobile devices, mobile has become the target of choice.  And with a practically blank check black budget they have recruited many of the best and brightest cybercriminals, helping them to arrive early to the mobile malware game.

Apple's walled garden approach and tight regulation of developers has long presented a daunting obstacle to amateur efforts, while Android has been the lower hanging fruit.  But as Google Inc. (GOOG) has stepped up its own efforts to purge malware, scareware, adware, and other undesirable apps from the Play Store, interest in perverting Apple's platform and targeting iPhone users has grown.

II. Safe No More

The new hack is the fruit of such labors.  

It involves a maliciously modified version of the XCode integrated development environment (IDE) -- a nasty trick that places it among a family of malware known as "compiler malware".  While not a wholly new strategy, this is the first time that we've seen proof of such a strategy being used to target the iOS crowd.  It's also remarkable in its ability not only to threaten users of non-jailbroken devices but every version of iOS, as well.

XCode 7 beta

And by the looks of it, it's a very succesful indeed as it in effect transforms Apple's walled garden and singular source -- an approach that for so long helped to secure Apple's userbase -- into a digital weapon to attack users.  After all developers trust XCode -- they have to because they have no other choice.  But if they get their copy of Apple's software from a third party (as many even in the U.S. do) they may find their apps secretly Trojanized.

And to make matters worst, in this case Apple is the Trojan dealer, not some sketchy piracy site.  iOS users trust the App Store -- because they have to.  Officially, Apple contends any other source of apps for the iPhone is illegal.  But in this recent breach Apple was very cleverly -- and some would say alarmingly easily -- tricked into distributing malware to 25,000+ iPhone owners.

iOS malware
[Image Source: Dispatch Times]

These infections -- and the malicious IDE that gave rise to them -- appear to be mostly geographically confined to China.

The geographic origin is unsurprising for a number of reason:
  1. China has been the world's largest smartphone market since 2013.
  2. Most large scale Android malware threats to top 100,000 infections have been heavily geolocated in China.
  3. The iPhone is incredibly popular in China, Apple's largest market outside the U.S.
  4. China has a strong tradition of sophisticated hacking and piracy efforts.
That said the surprising efficacy of the hack raises concerns internationally as it shows a weak point in Apple's security chain.

The attack begins with modifications to XCode 6 and 7 (XCode 7 being the latest version of the IDE).  Palo Alto Networks discovered a number of suspicious files that were included alongside the typical files in the XCode installation packages, which it dubs "XCodeGhost".

[Image Source: Palo Alto Networks]

All share the common base directory "", which I'll refer to below as "$BASEDIR".  From there the malicious packages include:
  • In $BASEDIR/PhoneOS.platform/Developer/SDKs/Library/
    • Frameworks/CoreServices.framework/CoreService
    • PrivateFrameworks/IDEBundleInjection.framework/
  • In $BASEDIR/iPhoneSimulator.platform/Developer/SDKs/Library/
    • Frameworks/CoreServices.framework/CoreService
    • PrivateFrameworks/IDEBundleInjection.framework/
  • In $BASEDIR/MacOSX.platform/Developer/SDKs/Library/
    • Frameworks/CoreServices.framework/CoreService
    • PrivateFrameworks/IDEBundleInjection.framework
XCode malware
(click to enlarge) [Image Source: Palo Alto Networks]

For those who have done a bit of iOS tinkering, this listing may seem a bit odd, particularly its use of a PrivateFramework.

PrivateFrameworks are technically not intended for third party developer use, according to The iPhone Wiki.  They carry undocumented function calls and features Apple uses to grant special functionality and advanced access to its stable of official apps.  This, for instance, is how the mobile Safari browser long enjoyed a substantial speed advantage over third party browsers -- it had access to PrivateFramework calls to low level hardware that could pull down page data far faster than the higher level equivalents Apple offered developers.

Traditionally apps that try to sneakily use PrivateFrameworks get caught and tossed in the app submissions process.  So what's going on here?

XCode Ghost
(click to enlarge) [Image Source: Palo Alto Networks]

XCodeGhost is able to cleverly avoid detection -- and its illicit inclusion of calls to an unauthorized private framework -- by maliciously modifying a core public framework file.  Specifically, it manipulates the XCode Framework file CoreServices -- a file that developers are allowed to use.  The CoreServices version in XCodeGhost works almost identical to the real deal, but with one subtle difference.  When it is used to compile XCode apps, it links in a new (and malicious) framework not-so-subtly titled "IDEBundleInjection.framework".

The strategy not only helps to avoid detection by Apple's App Store screeners, but also is used to trick well intentioned developers into unwitting participation in the attack.  Apple's servers in China are overworked and slow so many legitimate developers download XCode and other developer tools from third party websites.  Indeed, Palo Alto Networks found XCodeGhost on many popular developer tools sites in China, representing itself as a legitimate copy of XCode.

XCode Ghost
(click to enlarge) [Image Source: Palo Alto Networks]

When a developer downloads and compiles an app in XCodeGhost, it will work just as it would in the unmodified IDE -- but with a sneaky twist.

Cleverly, the malicious CoreServices module adds its automatically triggered malicious extra calls to two classes that nearly every iPhone app uses -- UIWindow ( which "manages and coordinates the views an app displays on a device screen") and UIDevice.  Using its modified objects, the code can carry can be coopted into carrying out a number of devious duties in the background.  While maliciously modified Mach-O libraries and executables have been found in the past, this is reportedly the first discovered malicious modifications to Mach-O object files.

(click to enlarge) [Image Source: Palo Alto Networks]

Palo Alto Networks discovered that the malicious object's calls collect the following:
  • Current time
  • Current infected app’s name
  • The app’s bundle identifier
  • Current device’s name and type
  • Current system’s language and country
  • Current device’s UUID (aka UDID)
  • Network type
The data is then encrypted and uploaded to a legitimate sounding set of server domains:
  • http://init.crash-analytics[.]com
  • http://init.icloud-diagnostics[.]com
  • http://init.icloud-analysis[.]com

That's pretty much it for how the attack works.  What's impressive, though, is how successfully it managed to sneak its malicious Mach-O object into a number of approved apps in Apple's official App Store.  So far nearly 40 apps (39, to be precise) have been found in the App Store matching the signature of the malicious Mach-O object injected by XCodeGhost.

NetEase was one of the most prominent apps to fall victim to XCodeGhost.

Two of these were widely used apps according to Palo Alto Networks and other local researchers.  It listed one of them -- the NetEase Cloud Music App.  The app has 493 ratings on the official Chinese App Store.  Seasoned developers state that with occasional prompting, roughly 1 in 50 to 1 in 100 users will tend to rate an app.  Some report rates as low as 1 in 500 for popular apps without rating reminders.  So at a minimum it can be estimated that 25,000 users have been infected with this app alone.  At worst well over 100,000 users may be infected from that app alone.

And remember, that's just one of 39 (!!) apps that have been discovered -- and many more may still be lurking undetected.

XCode Ghost
[Image Source: Palo Alto Networks]

The malware authors' objectives may be as innocent as data mining.  And while unauthorized the information the malicious Mach-O object collects is certainly unauthorized and concerning, it's not doing anything as overtly dangerous as the malware that's afflicting some Android and jailbroken iPhone users.  Compared to something like KeyRaider -- which recently affected 225,000+ users of jailbroken iPhones in China -- this malware's threat is subtle and perhaps not as immediate.

III. Risk Assessment

That said, the harvest UDID can be used in secondary attacks.

Apple eye
[Image Source: Gizmodo]

Tech news followers will recall that notorious forum troll-cum-security researcher Andrew Auernheimer and his associates in 2010 spammed an AT&T Inc. (T) automated network database system with autogenerated ICC-IDs (integrated circuit card identifiers), analogous to UDIDs.  When a real ICC-ID was hit the system would respond with emails.  Ultimately Auernheimer used the approach to harvest 114,000+ iPad 3G buyers' personal email addresses, many of whom were identified by name and domain as bleonging to celebrities, politicians, military leaders, and other prominent people.  

The U.S. Federal Bureau of Investigation (FBI) took the threat seriously raiding Auernheimer's home and finding a boatload of drugs in the process.  While that stash was eventually found to belong to a roommate of the Auernheimer, prompting from Apple and AT&T convinced the FBI to charge Auernheimer on alternate grounds.  He would soon become a convicted felon hacker after being found guilty of violating the ambiguously worded Computer Fraud and Abuse Act (CFAA) of 1986 (18 USC § 1030) -- the same law federal prosecutors used to terrorize and harass Reddit cofounder Aaron Swartz, who would later tragically take his own life.

Auernheimer was sentenced Nov. 2012 to 41 months in prison (nearly three and a half years) as a first time offender.  He would serve just a little over a year of his time before an appeals court ruled in his lawyers favor, concluding federal prosecutors were inappropriate in their choice of venue, vacating the conviction.  Many critics of the CFAA feted his liberation, yet in typical troll fashion Auernheimer squandered much of that reptutation when he came out as a straight-up racist late last year.  Then again for a man who basically prides himself on being a perpetual troll both in real life and online, this could all be one big ruse, of course.  But he's certainly played the part; at last check he was seen trolling Twitter Inc. (TWTR) users with promoted white supremacist tweets.

Returning to the matter at hand UDIDs -- an Apple specific identifier -- were actually used in some early iOS ad networks as well, a tactic that was eventually beaten back by Apple amid growing concerns.  Considering their role in convicting Auernheimer it is rather ironic that the FBI was in 2012 accused by Anonymous affiliated security circle Antisec of stealing millions of UDIDs, which Antisec claimed to have found via an admittedly stolen federal laptop.  For good measure it published a million of the device IDs, bragging that it had a total of around 12 million.  

The UDID uniquely identifies your device. [Image Source: Brandon Hill/DailyTech]

The FBI, of course, refuted the claim it was the source.  To be fair Antisec itself could have stolen the IDs in some sort of elaborate propoganda frameup, but either way the incident provoked a healthy discussion about exactly what threats stolen UDIDs would pose.

The answer, ultimately is "not much", but also is not "none."

UDID ads

As Ars Technica explained back in 2012, previously collected databases could be correlated with the UDID for identity theft, spamming, phishing, and various other malicious tactics.  And while Apple's promotion of two-factor authentication and certain enhanced security tactics have alleviated issue somewhat, UDIDs could still theoretically be used to take over someone's iMessage and iCloud accounts, in order to steal their pictures or spy on their activity.

The claims by Antisec also suggest another troubling angle -- state-funded spying both of the domestic and the international variety.  Indeed, the fact that XCodeGhost is so sophisticated yet is so subtle in its threat, suggests that potentially it could be the work of agents of a nation-state entity such as the U.S. National Security Agency (NSA), the U.S. Central Intelligence Agency (CIA) -- or perhaps China's own elite military hacker units.  


For a sense of how this might work please read about DROPOUTJEEP, the NSA's iPhone malware system.  (Apple denies helping the NSA build this backdoor, as some have claimed it did.)

IV. The Wall Came Down

Okay, so XCodeGhost can steal your UDID.  Big deal, right.

I realize that at this point many iPhone users who read this will ask "so what?" or "why should I care?" given that the attack occurred in China and wasn't overly dangerous.  But Palo Alto Networks' Claud Xiao -- a professional who clearly knows a thing or two more about security than most armchair observers -- debunks such skeptical sentiments well, writing:

Compiler malware is not a new idea. Starting with the first proof-of-concept written by Ken Thompson 31 years ago, real compiler malware has been discovered in many platforms. Compared with other iOS malware, XcodeGhost’s behaviors are not especially significant or harmful. This is why the code can pass App Store code review.

However, XcodeGhost disclosed a very easy way to Trojanize apps built with Xcode. In fact, attackers do not need to trick developers into downloading untrusted Xcode packages, but can write an OS X malware that directly drops a malicious object file in the Xcode directory without any special permission.

Additionally, although Apple’s code review for App Store submissions is very strict, some applications are never reviewed by Apple.If the iOS app is used by an enterprise internally, for example, it will be distributed in-house and won’t go through the App Store.In the same example, an OS X app can also be infected, and lots of OS X apps are directly distributed via the Internet other than App Stores.

In these situations, Xcode compiler malware can be much more aggressive and risky.

To paraphrase, while XCodeGhost's malicious angle was subtle, its ability to subvert dozens of apps -- and likely infect tens of thousands, if not hundreds of thousands of users in such a way that was virtually undetectable Apple will surely not go unnoticed.  For those who wish to engage in more overt attacks such as financial fraud, ransomware, or direct identity theft XCodeGhost may be just the kind of crack in Apple's great wall(ed garden) that they were looking for.

PAN Unity 42

To "Nortel" and others who fall for the mythology that the App Store is malware free and that jailbroken devices are at no risk, sorry your information is outdated.  While it's fair to say that iOS remains someone safer than Android, the fact that Apple unwittingly approved dozens of malicous apps and has allowed the infection of 25,000+ users should be a wake up call.  

XCodeGhost is a wakeup call. (click to enlarge) [Image Source: Palo Alto Networks]

Even to the security-aware crowd the threats in the mobile sphere are growing and pervasive.  After all, even the most savvy users are forced to put their trust in the companies that provide their services.  When those services are compromised, the chain breaks and even tech savvy folks can find themselves victimized.

Let us not forget that leaked NSA slides -- slides produced by the U.S. government, the nation much of our readership calls home -- boasted of how easy it was to break into and spy on iPhones en masse.  

NSA slides -- iOS

NSA PRISM collection

NSA prism dropout jeep

In fact, the NSA had a running joke thread that has since leaked about how it was perverting Apple's functionality into spying on users (a thread that at least showed a sense of humor, albeit in a diabolical sense):


NSA slide

And such threats are not going away.  The CIA and FBI are believed to be engaging in similar efforts, and you could imagine that the Chinese, Russians, and other prominent players in the nation-state hacker scene are as well.  

Before these parties largely targeted iOS via man in the middle attacks exploiting the lack of encryption in iMessage and other services (likely via literal cable cutting).  With encryption onboard and with Apple holding firm about not giving away master keys to government spy agencies, you can bet that the NSA, et al. are salivating at the promise of XCodeGhost -- if they themselves were not the ones behind the overly clever effort.

Squeezing the Apple
[Image Source: Kapersky Lab]

As we saw with Windows in the 1990s, they'll grow from the stuff of farce and fiction (see McAfee's fearmongering) to cold hard reality, as the attacks shift towards immediate evils like fraud.  Mobile malware is fast emerging from hypotheticals into observables.

The only solution is constant vigilance.  To assume your platform is impenetrable is foolish folly.  Sorry iPhone users, I wish you were safe.  But I don't make reality.  I just write about it.  And reality is, iOS is no longer secure.

Source: Palo Alto Networks [blog]

"Paying an extra $500 for a computer in this environment -- same piece of hardware -- paying $500 more to get a logo on it? I think that's a more challenging proposition for the average person than it used to be." -- Steve Ballmer

Latest Blog Posts

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki