Is it enough to infect 100 million Apple users? XcodeGhost author wants to infect all phones

[[150342]]

On the second day when the media paid crazy attention to XcodeGhost, XcodeGhost-Author, who claimed to be the author of the virus, posted a clarification on Weibo, saying that "XcodeGhost originated from my own experiments and did not have any threatening behavior", trying to show that he did not apply the collected user data to any place and would not cause any harm.

Less than three days after the clarification statement was issued on September 19, Pangu, a domestic mobile Internet security research team, posted on Weibo that "there is evidence that some game engine download addresses have also been infected with viruses, such as Unity and cocos2dx, and the Android versions of these engines have also been infected with viruses. The same means and the same black production team."

How to understand this sentence? It is roughly the probability that your mobile phone is not infected with a virus, which is "lower than the Mark Six lottery."

XcodeGhost Incident Season 2: No One Survived

Unity is a multi-platform comprehensive game development tool developed by Unity Technologies that allows players to easily create interactive content such as 3D video games, architectural visualization, real-time 3D animation, etc. It is a fully integrated professional game engine.

The Unity screen that appears before many games may rarely attract your attention, but as a convenient game development tool, Unity is widely used in web, mobile, and stand-alone game development, especially mobile phones - "Temple Run", "Monument Valley", and "Hearthstone" are all developed using Unity.

Yesterday, Baidu Security Lab confirmed the "Unity-4.X infected sample", whose logical behavior is consistent with XcodeGhost, but the domain name for obtaining user data upload has become init.icloud-diagnostics.com. This shows that any App that has used infected Unity during the development process has malicious behaviors such as stealing privacy and pushing advertisements.

This virus was named "UnityGhost" by the Alibaba Mobile Security Team that tracked and studied it. Consistent with the functions of "XcodeGhost", this virus can pop up any fraudulent information such as rent payment to the infected app, push information to download and install apps, jump to phishing pages (fake pages that trick users into entering personal sensitive information such as credit card numbers), and automatically enable the App Store to display the download page of the target app.

CoderFun, who is considered to be the author of XcodeGhost, quickly edited the Unity download link and other content he had published in July within a few minutes after the "UnityGhost" related information was released. The statement that "it was just an experiment" no longer seems to be self-consistent.

Cocos2d-x is an open source mobile 2D game framework. Projects built with it can easily run on mobile operating systems such as iOS, Android, and Blackberry. It also supports desktop operating systems such as Windows, Mac, and Linux. There are reports that the framework has also been infected, and more similar viruses are being discovered.

There is news that "XcodeGhost's author may have participated in the construction of other PC Trojans." TrojanSpy can steal PC system configuration, currently running processes, certain financial website account passwords, browsing history, keystroke logs and other sensitive information and send them to a remote server. TrojanSpy and XcodeGhost use the same IP address.

The past will never pass away, this is the Internet

Yesterday, Apple claimed that it had removed all apps infected with the XcodeGhost virus (for a review of the XcodeGhost situation, please click here). The exposure of UnityGhost has also affected game apps. To be on the safe side, please delete the relevant versions of apps and games immediately. Whether you are an Android or iOS user, it is recommended to delete all related games before you can determine which ones are infected.

Because, "Although the virus author claims that he did not engage in any advertising or fraudulent activities, it does not mean that others will not engage in these malicious activities on his behalf."

"Although the XcodeGhost author's server is shut down, the infected apps are still there." If users continue to use these infected apps, the servers (such as init.icloud-analysis.com, init.icloud-diagnostics.com, etc.) will continue to make requests. As long as hackers use DNS hijacking or pollution technology and claim that their server is "init.icloud-analysis.com", they can successfully control these infected apps. Similarly, the data sent by UnityGhost can still be intercepted by others for malicious use.

As an iPhone user, you need to know what is stored in iCloud. Important systems have one password for each station and change it regularly. The credit limit of the credit card bound for payment is appropriate, and the cash on the savings card is appropriate to prevent unexpected situations such as losing money. The most important thing is to turn on Apple's "Apple ID two-step verification". Even if the password is really stolen, it is difficult to steal the data.

Partial list of XcodeGhost infections

The infection of Unity will also affect Android users who gloated over the XcodeGhost incident. Almost all mobile phone users will not be spared from this incident.

At this point, whether you are a developer or an ordinary user, I would like to say it three times because it is important.

Please do not trust any unofficial download channels!

Please do not trust any unofficial download channels!

Please do not trust any unofficial download channels!

Here’s how to enable “Apple ID Two-Step Verification”.