Its being called XCodeGhost - a modified X-Code compiler for writing IOS (iPhone and iPad) apps. Developers were "lured" into downloading the 3 gigabyte compiler from Chinese websites who claimed to have a faster download method than getting the development product directly from Apple.

Apple says it has pulled 300 infected Apps from its Store as of today.. Below is a list of apps which were published as having had the infection. Apple recommends removal and downloading a FRESH version which would state that it guarantees that is is "free from the XCodeGhost malware"..

From: (source-link (http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/#))

FILED IN: Malware, Threat Prevention, Unit 42
TAGGED: Apple, iOS, WeChat, Xcode, XcodeGhost

Yesterday it was posted an analysis report on a novel malware XcodeGhost that modifies Xcode IDE to infect Apple iOS apps. In the report, it was mentioned that at least two popular iOS apps were infected. It is now believed many more popular iOS apps have been infected, including WeChat, one of the most popular IM applications in the world.

After the report was posted, some security companies like Qihoo 360 scanned popular apps in App Store by code analysis; and some iOS developers analyzed some more apps using crowd-sourcing techniques. Several Internet companies such as Tencent, NetEase, and Jianshu, have made statements on their respective affected products..

These apps were checked below in this report. As of the 18th, 39 iOS apps were observed as being infected, some of which are extremely popular in China and in other countries around the world, comprising hundreds of millions users.

The infected iOS apps include IMs, banking apps, mobile carrier’s app, maps, stock trading apps, SNS apps, and games. Among the more well-known apps are WeChat (developed by Tencent); Didi Chuxing (developed by Didi Kuaidi) the most popular Uber-like app in China; Railway 12306, the only official app used for purchasing train tickets in China; China Unicom Mobile Office, which is in use by the biggest mobile carrier in China; and Tonghuashun, one of most popular stock trading apps.

wechat 1

Figure 1. WeChat 6.2.5 is also infected

Some apps are also available from the App Store in other countries.

For example, CamCard, developed by a Chinese company, is the most popular business card reader and scanner in many countries (including the US) around the world. WeChat is the most popular IM app not only in China but also in many countries or regions in Asia Pacific. Version 6.2.5 of WeChat is what we have verified to be infected. Tencent has updated to 6.2.6, which removed the malicious code.


Palo Alto Networks is cooperating with Apple on the issue and we also suggest all iOS developers be aware and take necessary actions.

Infected iOS apps


网易云音乐 2.8.3
微信 6.2.5
讯飞输入法 5.1.1463
滴滴出行 4.0.0.6-4.0.0.0
滴滴打车 3.9.7.1 – 3.9.7
铁路12306 4.5
下厨房 4.3.2
51卡保险箱 5.0.1
中信银行动卡空间 3.3.12
中国联通手机营业厅 3.2
高德地图 7.3.8
简书 2.9.1
开眼 1.8.0
Lifesmart 1.0.44
网易公开课 4.2.8
马拉马拉 1.1.0
药给力 1.12.1
喜马拉雅 4.3.8
口袋记账 1.6.0
同花顺 9.60.01
快速问医生 7.73
懒人周末
微博相机
豆瓣阅读
CamScanner
CamCard
SegmentFault 2.8
炒股公开课
股市热点
新三板
滴滴司机
OPlayer 2.1.05
电话归属地助手 3.6.5
愤怒的小鸟2 2.1.1
夫妻床头话 1.2
穷游 6.6.6
我叫MT 5.0.1
我叫MT 2 1.10.5
自由之战 1.1.0
Fox-IT (fox-it.com), a Netherlands based security company, checked all C2 domain names from our reports in their network sensors and has found thousands of malicious traffic outside China. According to their data, these iOS apps were also infected:
Mercury
WinZip
Musical.ly
PDFReader
guaji_gangtai en
Perfect365
网易云音乐
PDFReader Free
WhiteTile
IHexin
WinZip Standard
MoreLikers2
CamScanner Lite
MobileTicket
iVMS-4500
OPlayer Lite
QYER
golfsense
同花顺
ting
installer
下厨房
golfsensehd
Wallpapers10000
CSMBP-AppStore
礼包助手
MSL108
ChinaUnicom3.x
TinyDeal.com
snapgrab copy
iOBD2
PocketScanner
CuteCUT
AmHexinForPad
SuperJewelsQuest2
air2
InstaFollower
CamScanner Pro
baba
WeLoop
DataMonitor
爱推
MSL070
nice dev
immtdchs
OPlayer
FlappyCircle
高德地图
BiaoQingBao
SaveSnap
WeChat
Guitar Master
jin
WinZip Sector
Quick Save
CamCard



Did the Chinese app developers create these corrupted apps deliberately?
It doesn't look that way. The developers were probably as much in the dark as anyone else.

Why did Apple let the corrupted apps into the App Store?

They apps looked fine to Apple's vetting team. Apple approved the apps and gave them Apple's own digital certificate of approval, which meant they could be installed on any iPhone, iPad or iPod Touch.
Does this affect the security of my iPhone?

Yes, although you're at less risk if you don't use any apps created in China. Most of the potentially malicious apps were created in China, but among them is WeChat, which has an estimated 500 million users worldwide.

So what exactly happened?
In March, someone fiddled with Apple's free software development kit (SDK), XCode, and put a corrupted version of Xcode's installer on a Web server operated by Chinese Web giant Baidu. Then the word spread that the corrupted Xcode installer was faster to download than the official installer housed on Apple's own servers. Because the Xcode installer can take a long time to download (it's nearly 3GB in size), a lot of Chinese developers downloaded the corrupted version.

How would a corrupted SDK affect apps made with it?
A corrupted SDK essentially poisons the well. Any app created with it could contain hidden code that undermines the security of the app.

When did this come to light?
According to Santa Clara, California-based Palo Alto Networks, Chinese iOS developers last week noticed that apps using the corrupted version of XCode were sending data to a mysterious Web address. On Thursday (Sept. 17), Palo Alto Networks put up a blog posting detailing its own investigation into the corrupted SDK, which Chinese researchers had already dubbed "XCodeGhost."
Is the corrupted version of Xcode still available?

Baidu has removed it from its servers. But there are doubtless many copies floating around the Chinese part of the Internet.

Who would deliberately poison Xcode?
Criminals or spies. Criminals could use the corrupted apps to harvest personal information from Apple users, including Apple account usernames and passwords, which they could then use to buy free stuff. Spies would use that same information for intelligence purposes.

Could spies be behind it?
Yes. In March 2015, the online magazine The Intercept posted very interesting documents provided by NSA/CIA turncoat Edward Snowden. The documents indicated that Sandia National Labs, a U.S. government research lab run by defense contractor Lockheed Martin, had been working on an Xcode compromise that would have produced results very similar to what Palo Alto Networks saw.

How similar?
At a CIA-sponsored computer-espionage conference in 2012, Sandia presented a talk entitled "Strawhorse: Attacking the MacOS and iOS Software Development Kit."

The synopsis of the presentation said that the "whacked" version of Xcode could "create a remote backdoor" in "MacOS" (sic) applications, "embed the developer's private key in all iOS applications" [i.e., a backdoor] and "force all iOS applications to send embedded data to a listening post." The synopsis also said Sandia had found a way to install keylogging software in OS X.

Was that Strawhorse program successful?
We don't know.

from: http://www.tomsguide.com/us/malware-iphone-app-store-faq,news-21613.html


http://si.wsj.net/public/resources/images/BN-KJ785_chack0_J_20150920072448.jpg

http://2.bp.blogspot.com/-NiS2mmJP8Js/U84g3aPzM-I/AAAAAAAAciA/nEiKHGxMY5Y/s728/ios-iphone-hacking-password-bypass.jpg

What is xCode ?

Xcode is an integrated development environment (IDE) containing a suite of software development tools developed by Apple for developing software for OS X and iOS.

First released in 2003, the latest stable release is version 7.0 and is available via the Mac App Store free of charge for OS X Yosemite users.

Registered developers can download preview releases and previous versions of the suite through the Apple Developer website.

However, Apple recently made a beta version of version 7.x of the software available to those of the public with Apple Developer accounts.

The Xcode suite also includes most of Apple's developer documentation, and built-in Interface Builder, an application used to construct graphical user interfaces.

6.x series
On June 2, 2014 at the World Wide Developers Conference, Apple announced version 6 of Xcode. Features include "Playgrounds", live debugging tools, as well as an entirely new programming language called Swift. Xcode 6 was released on September 17, 2014, at the same time as the release of iOS, and can now be downloaded on the Mac App Store.

From: http://www.exclusive-networks.com/threat-centre/threat-centre/

In summary, the malicious code that XcodeGhost embedded into infected iOS apps is capable of receiving commands from the attacker through the C2 server to perform the following actions:

Prompt a fake alert dialog to phish user credentials;
Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps;
Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.
Additionally, according to one developer’s report, XcodeGhost has already launched phishing attacks to prompt a dialog asking victims to input their iCloud passwords.

Based on this new information, we believe XcodeGhost is a very harmful and dangerous malware that has bypassed Apple’s code review and made unprecedented attacks on the iOS ecosystem. The techniques used in this attack could be adopted by criminal and espionage focused groups to gain access to iOS devices.

Technical Details
XcodeGhost added code to some system APIs that are used by the infected apps. After the malware sends device and app information to it’s C2 servers, XcodeGhost will decrypt the content returned by the server and parse it as a piece of JSON formatted data.

Figure 1. XcodeGhost decrypts response JSON data

In the JSON data, XcodeGhost will look for these keys:

alertHeader
alertBody
appID
cancelTitle
confirmTitle

The malware uses the specified title and body texts to create a fake alert dialogue box.. Using this technique, XcodeGhost can be used to “phish” information from the user, or trick them into inputting sensitive data. For example, it can create a dialog that asks the victim to input their password. Since the dialog is a prompt from the running application, the victim may trust it and input a password without suspecting foul play.


XcodeGhost is the first compiler malware in OS X. Its malicious code is located in a Mach-O object file that was repackaged into some versions of Xcode installers. These malicious installers were then uploaded to Baidu’s cloud file sharing service for used by Chinese iOS/OS X developers. Xcode is Apple’s official tool for developing iOS or OS X apps and it is clear that some Chinese developers have downloaded these Trojanized packages.

XcodeGhost exploits Xcode’s default search paths for system frameworks, and has successfully infected multiple iOS apps created by infected developers. At least two iOS apps were submitted to App Store, successfully passed Apple’s code review, and were published for public download.

This is the sixth malware that has made it through to the official App Store after LBTM, InstaStock, FindAndCall, Jekyll and FakeTor.

XcodeGhost’s primary behavior in infected iOS apps is to collect information on the devices and upload that data to command and control (C2) servers. The malware has exposed a very interesting attack vector, targeting the compilers used to create legitimate Apps. This technique could also be adopted to attack enterprise iOS apps or OS X apps in much more dangerous ways.

Distributing the Malicious Xcode Build
In China (and in other places around the world), sometimes network speeds are very slow when downloading large files from Apple’s servers. As the standard Xcode installer is nearly 3GB, some Chinese developers choose to download the package from other sources or get copies from colleagues.

By searching for “Xcode 下载” (Xcode downloading) in Google, in the first page of the search results (Figure 1), we found that six months ago someone posted Xcode download links to multiple forums or websites (including Douban, SwiftMi, CocoaChina, OSChina, etc.) that Chinese iOS developers frequently visit.

Figure 1. Google search results for “Xcode downloading” in Chinese

These posts provided links to download all versions of Xcode from 6.0 to 7.0 (including beta versions). All of the links direct to Baidu Yunpan, a cloud based file storage and sharing service.

I had an apple message saying I had been on facetime after I had gone to bed! There is me and my daft Atom cat, who is certainly not going to do any 'pawsing' in the night, so what happened? Better change passwords again - 3rd time this week. The iPad just swiched software, and keypad to lower case, with better features. Hopefully the illiterate will benefit to read upper and lower case simultaneously, something primary schooling should have conquered!

Another list of infected APPS - http://www.cultofmac.com/389693/xcodeghost-hack-delete-these-infected-ios-apps-immediately/


WeChat
Didi Chuxing
Angry Birds 2
NetEase
Micro Channel
IFlyTek input
Railway 12306
The Kitchen
Card Safe
CITIC Bank move card space
China Unicom Mobile Office
High German map
Jane book
Eyes Wide
Lifesmart
Mara Mara
Medicine to force
Himalayan
Pocket billing
Flush
Quick asked the doctor
Lazy weekend
Microblogging camera
Watercress reading
CamScanner
CamCard
SegmentFault
Stocks open class
Hot stock market
Three new board
The driver drops
OPlayer
Mercury
WinZip
Musical.ly
PDFReader
Perfect365
PDFReader Free
WhiteTile
IHexin
WinZip Standard
MoreLikers2
CamScanner Lite
MobileTicket
iVMS-4500
OPlayer Lite
QYER
golfsense
Ting
Golfsensehd
Wallpapers10000
CSMBP-AppStore
MSL108
TinyDeal.com
snapgrab copy
iOBD2
PocketScanner
CuteCUT
AmHexinForPad
SuperJewelsQuest2
air2
InstaFollower
CamScanner Pro
baba
WeLoop
DataMonitor
MSL070
nice dev
immtdchs
OPlayer
FlappyCircle
BiaoQingBao
SaveSnap
Guitar Master
jin
WinZip Sector
Quick Save


Source: Palo Alto Networks (http://researchcenter.paloaltonetworks.com/unit42/) - "Unit 42"


Amazon has also taken action, including to shutdown all C2 servers on Amazon Web Services that XcodeGhost was seen to have used to upload privacy information and dispatch controlling commands.

Baidu has removed all malicious Xcode installers from its cloud file sharing service, making it much harder for a developer to download an infected Xcode unintentionally.

As of this writing, on Monday, September 21, we notice that there are still some previously known infected iOS apps available in App Store, among them China Unicom Mobile Office version 3.2.(Figure 2)

http://researchcenter.paloaltonetworks.com/wp-content/uploads/2015/09/xcode-2-500x344.png

More Infected Apps Disclosed

In the last few days, other security companies claimed many more iOS apps being infected by XcodeGhost.

For example, Qihoo 360 listed 344 infected apps in their blog. Pangu Team claimed detection of 3,418 different iOS apps being infected. Pangu Team also released an iOS app to detect the trojanized iOS apps they’ve found.

Links:
http://bobao.360.cn/news/detail/2088.html - Qihoo 360

Angry Birds 2 infected?

From Rovio's (developer's) website (http://www.rovio.com/en/news/blog/704/is-angry-birds-2-infected-with-malware) -

Yes indeedee.. the Chinese builds..


21.09.2015

It has come to Rovio’s attention that many iOS apps on Chinese-language App Stores have been made vulnerable to a malware attack.

The Chinese build of Angry Birds 2, which is available only on the App Store in Mainland China, Taiwan, Hong Kong and Macau, is one of the apps made vulnerable.

All other builds of Angry Birds 2 available in other countries are completely safe and secure.

An update of Angry Birds 2 that fixes the issue for users of the Chinese edition is coming very shortly.


https://scontent-lax3-1.xx.fbcdn.net/hphotos-xft1/v/t1.0-9/12039631_10153820513529928_689548661334698630_n.jpg?oh=4b1dde5e196d308ae8646c44e989ffbf&oe=569F5637