Xcodeghost ends, more than 300 popular apps infected with malicious programs, virus creator identified

Recently, the iPhone versions of many well-known social, map, and travel apps were found to contain "malicious code". One of the important reasons why the "XcodeGhost" incident has attracted so much attention is that a large number of users have been affected.

After the incident was exposed, many mobile security companies announced their own lists of affected apps, among which 360 Nirvana team announced the largest number of affected apps. Nirvana team said that after scanning 145,000 apps, 344 apps were found to be infected with malicious programs, including popular apps such as WeChat, 12306, AutoNavi Maps, Didi Taxi, etc. According to the report released by the "Tencent Security Emergency Response Center", it is conservatively estimated that the number of users affected by this incident exceeds 100 million. This may be the security incident involving the largest number of users since the launch of Apple AppStore.

Currently, some well-known apps such as WeChat, Amap, Didi Taxi, and NetEase Cloud Music have admitted that they have been affected by the "XcodeGhost" incident. However, these companies have also stated in statements that this incident will not pose a threat to user information security, and have released new versions of applications that fix malicious programs, which users can solve by upgrading themselves. For example, the WeChat team stated in a public statement that "this problem only exists in iOS6.2.5. The latest version of WeChat has solved this problem. Users can upgrade WeChat to fix it themselves. This problem will not cause direct impact to users. At present, no users have been found to suffer direct loss of information or property due to this, but the WeChat team will continue to pay attention and monitor."

Of course, among the numerous apps, only a few have disclosed information. Lin Wei, head of 360 Security Lab, said that the development teams of some small apps may not have upgraded the apps in time, and it is not ruled out that some developers do not even know that their apps have been hacked. "We are also trying our best to discover and notify users and developers." Lin Wei said.

The source of Trojan code embedded in development tools

On the Android platform, users are used to the outbreak of various security issues, while Apple's iOS system has always been considered quite safe because Apple has a strict security review mechanism for its apps. However, this time, Apple users who have never worried about the security of their phones were also a little dumbfounded, "How come the apps downloaded from Apple are also infected?" The feeling of having a naked phone also made many iPhone users feel panic.

"This is destined to become a landmark event in the history of mobile security." An expert in mobile security commented that this can be said to be the largest security incident in the mobile phone industry to date, and the more than 100 million users affected are indeed chilling.

In addition, this type of attack method in which hackers directly embed Trojan codes into the source of iOS development tools is the first in China. Once this door is opened, the risks are self-evident. Similar attack methods will also trigger more black industry chains to follow suit.

According to Han Zhengguang, the founder of Pangu jailbreak team, this hacker method of contaminating the source was proposed a long time ago. Ken Thompson, the father of UNIX, made a similar hypothesis in a speech, and the materials exposed by Snowden also mentioned the case of Xcode contamination. It's just that this is the first large-scale spread of this situation, which is different from some special purpose methods.

Lin Wei said that Apple does not allow users to use third-party security software. People may think this is nothing before, but after this incident, it can be seen that the protection solutions provided by security companies are more professional than those made by mobile phone manufacturers themselves. He believes that the ideal situation is that Apple will develop iOS systems for third-party security software, so that iPhone users who do not jailbreak can also receive more professional and reliable security protection.

Apple has sent out app removal notices to the affected app developers, requiring them to download the Xcode program from regular channels, rewrite the application and then upload it.

Progress: The identity of the virus creator has been identified

Just after the incident broke out, Sina Weibo user @@XcodeGhost-Author, who claimed to be the initiator of "XcodeGhost", posted an apology letter online. He said that XcodeGhost originated from an experiment he conducted himself, and all the data obtained was actually basic App information: application name, application version number, system version number, language, country name, developer symbol, App installation time, device name, device type, and no other data was obtained. He also admitted that out of selfishness, he added advertising functions to the code, hoping to promote his own applications in the future, but from the beginning to the final closure of the server, he did not use the advertising function. And 10 days ago, he took the initiative to shut down the server and deleted all data, and it would not have any impact on anyone. "XcodeGhost will not affect the use of any App, nor will it obtain private data. It is just a dead code." This person who has caused great trouble to countless people said so.

However, this understatement has been questioned by many security industry practitioners. Lin Wei said that the 360 ​​team tracked their behavior and found that half a year ago, someone began to spread Xcode download links on a large number of iOS development forums, and even hacked into the ID of a forum moderator to modify the download link. All these download links point to the same network disk file. Such a large-scale move cannot be explained by the claim of an experiment. There are also network engineers who did the math on Weibo. This kind of user information collection costs four or five hundred thousand dollars a month just to use overseas servers. "Is this just a personal experiment of a poor developer?"

Han Zhengguang also believes that this kind of hacking behavior requires a very high level of technical skills from the maker, which is definitely not something that ordinary people can do. Moreover, judging from his series of actions, it is unlikely that he was done by one person. It should be a team operating it, and there is probably a connection with the black industry chain behind it.

360 company told the reporter that it has basically locked down the identity of the virus creator through technical means, and has reported to the police and is cooperating with the police in the investigation. However, 360 related personnel said that more details about the identity of the virus creator cannot be released before the police close the case. According to the information obtained by the reporter from multiple channels, the virus creator is not a single person, and one of the main members was a recommended graduate student of a famous domestic university, but has dropped out.

Recommendation: Users should change their passwords regularly

No matter how the hackers succeeded, for ordinary users, the most important and most concerned thing is whether their mobile phones are safe. "WeChat, Didi Taxi, 12306, I have installed these applications, and I have also made payments. Is there any risk? Will the bound credit card be stolen?" Many users are eager to know the answer.

Judging from the response of the above-mentioned "virus developer", the data collected by "XcodeGhost" does not involve sensitive and critical information. There is no evidence to prove that "XcodeGhost" has illegally profited by collecting user information, and no reports of user losses have been received. From this perspective, even if the affected app is installed, iPhone users do not need to be too nervous.

However, Han Zhengguang believes that although the malware has not caused any damage yet, it can pose more serious threats. It is like a clever thief who pried open a tightly guarded door and entered a house. This time he only left a few "small advertisements" and left. But in the future, he will be able to enter the house and take away all the valuables. "It is also possible that the house was robbed, but the owner has not discovered it yet."

Han Zhengguang suggested that users who have the affected apps installed on their phones should stop using them if they are frequently used apps and wait until the developer releases a new version before using them again; if they are infrequently used apps, they can be directly uninstalled. He also suggested that although there are no cases of losses, there is indeed a risk of leaking personal key information, so it is recommended that users change the important passwords in their phones. Whether there is a security incident or not, changing passwords regularly is a good habit.

Developers should ensure that the development environment is secure

The big difference between this "XcodeGhost" incident and previous security incidents is that users actually had no way to prevent it at the beginning, and Apple application developers became a key link in the virus transmission chain. Although the virus maker contaminated the Xcode tool, if developers downloaded this tool from regular channels, the current situation would not have occurred.

Some iOS developers said that downloading Xcode from other channels instead of Apple's official channels is actually a common practice in the industry. Because the official download channels are too slow, many programmers often use domestic download tools directly to save time, which gives the "XcodeGhost" virus an opportunity to take advantage.

Cheetah Mobile said that this incident sounded a wake-up call for programmers: to be safe, first of all, you must ensure the security of your development tools. Programmers have been attacked by hackers many times before. In any case, it is recommended to use genuine development tools that have not been illegally tampered with to write programs to avoid users becoming victims; secondly, the security of the compilation environment and publishing environment is worth paying attention to. The compilation server and automatic publishing server should maintain a clean environment and do not install suspicious software from unknown sources at will.

Security industry insiders said that this incident sounded the alarm for Apple in terms of security mechanisms, making Apple aware of the loopholes in its own security mechanisms. They believe that Apple will repair the impact of this security incident and become more stringent in security reviews.