Hackers pulled off an unprecedented feat, lulling unwitting developers into loading thousands of iOS apps with adware, security experts said Friday.
"This is the first instance that I can recall," said Raymond Wei, senior director of mobile development at FireEye, a Milpitas, Calif. network security firm, when asked whether a top-tier app system had ever been infected through first-party development tools.
Wei was referring to the hacking campaign, dubbed "XcodeGhost" by a Chinese researcher, that took a very unusual approach to getting malicious code into iOS apps distributed via Apple's App Store. Rather than inject attack code into a single app, then try to get that past Apple's automated and human reviewers, the XcodeGhost hackers instead infected Xcode, Apple's integrated suite of software development tools for crafting apps and applications for iOS and OS X.
Xcode is available free of charge from the Cupertino, Calif. company's Mac App Store.
But the XcodeGhost gang did not infect that version of the development suite.
Instead, it modified a legitimate copy, seeded the counterfeit on a popular Chinese file-sharing service and promoted its fake-Xcode as not only the real deal, but available much faster from within China because of the service's speed advantage over trans-Pacific links to the official Apple site.
Chinese iOS developers took the bait -- hook, line and sinker. But by using the infected Xcode they unknowingly infected the apps they created with the bootleg.
When asked the same question about XcodeGhost's uniqueness, Domingo Guerra, co-founder and president of Appthority, a San Francisco-based mobile risk management vendor, agreed with Wei. However, Guerra pointed to something akin to XcodeGhost. "A year and a half ago, we saw a vulnerability in an ad network's SDK [software development kit]," he said without naming names. The vulnerability was exploited to craft ads that answered to hackers' command-and-control network.
Apple was not able to detect that the apps were, in fact, infected by XcodeGhost. "The malformed code was injected by the compiler," said Wei. "There was no baseline [hash] for Apple to compare, so it couldn't know that they were infected."
The number of apps afflicted with XcodeGhost have been in dispute. Wei said that FireEye had identified more than 4,000 before Apple began pulling them earlier this week. Guerra, on the other hand, cited a very-specific 477 that Appthority found on the App Store. Other security researchers and vendors tossed out numbers of all kinds.
Apple has not disclosed the number of affected apps, but has listed the top 25 most popular apps that were infected, and claimed that off that list, "The number of impacted users drops significantly."
Sign up for CIO Asia eNewsletters.