There is something fishy in the XCode compiler – 51CTO analyzes the “Apple APP poisoning incident”

A virus hidden in the XCode compiler celebrates the birthday of the newly released iOS9.

This is not the first time that Apple has been infected, but if you search Baidu for the question "Can Apple be infected with viruses?", the vast majority of the answers are: Not at all without jailbreaking. Indeed, the WireLurker that was popular last year only infected 300,000 users, which is not worth mentioning for the tens of millions of Apple users in China. This time, the situation is much more serious.

On the morning of September 17, Weibo user @JoeyBlue_ revealed that an application compiled by a developer using Xcode downloaded from an unofficial channel was injected with third-party code and would upload data to a website.

51CTO reporter learned from Wuyun Knowledge Base author Zhengmi at *** time that the injected virus sample "XcodeGhost" was analyzed and confirmed the above statement. After analysis, the virus will collect basic information of applications and systems, including time, bundle id (package name), application name, system version, language, country, etc., and upload it to init.icloud-analysis.com (the domain name is applied by the virus author for collecting data information).

Subsequently, on the morning of the 18th, Silicon Valley security company Palo Alto tracked the incident and discovered that the well-known domestic application NetEase Cloud Music was infected. The latest version of NetEase Cloud Music v2.8.3 currently on the App Store has been infected with the virus and will upload the mobile phone's private information to the virus author's server (Palo Alto also found more domain names for collecting data).

The problem is that there are many links from the development of an APP to its launch on the user's phone. So how did this virus hidden in the XCode compiler pass all the reviews?

Unhindered virus

As mentioned above, the virus was hidden in the XCode compiler downloaded from a third party, which led to a disaster. Wang Biao, a white hat of Wuyun, told reporters: "Due to poor user experience, such as insufficient network optimization, many developers feel that the speed of downloading official plug-ins from the Mac App store is much slower than that of network disk and Xunlei, so they choose to download from third parties."

However, after an APP is developed, it is theoretically necessary to conduct a security check. For this virus, you only need to do a simple cloud data test to detect whether the data is returned to you to find the virus.

Wang Biao said: "Especially when it comes to sensitive user data and payment services, it is a very serious matter if losses are caused to users due to negligence."

In addition, unlike websites, the cost of updating APPs is higher. Most APPs will provide support for old versions. If security testing is not done well at the beginning of the launch, the damage to users will undoubtedly be huge and long-term.

Then again, the App Store's review is extremely strict, so Android apps are much safer and more standardized than those in third-party app stores. Why did this virus also fool the App Store?

Wang Biao analyzed: "Because this virus collects information including time, bundle id (package name), application name, system version, language, country, etc., and no sensitive user information has been seen so far, and some domestic apps also collect the same information, Apple may have been negligent and allowed the virus to take advantage of the situation.

The long-hanging sword of Damocles

At this point, the situation is roughly clear. Every process from development to launch happened to be exploited by the virus. Of course, the information security issue has not been around for a day or two. It is like a sword of Damocles hanging over the heads of users and apps. Fortunately, Wang Biao told reporters that the virus hidden in the XCode compiler has not yet been seen to collect sensitive information of users, so everyone can rest assured. However, it is also recommended that Apple users turn on the iCloud two-step verification function to strengthen their own safe usage habits.

Safety issues are always on the lips but never on the agenda.

Attached is the inspection method (from Wuyun)

Malicious Xcode contains the following file: “/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/Library/Frameworks/CoreServices.framework/CoreService”; the normal Xcode SDK directory does not have a Library directory (from @JoeyBlue_)

Secondly, you should also check the settings of Target->Build Setting->Search Paths->Framework Search Paths to see if there are any suspicious frameworks mixed in (from Zhengmi)