Malware dubbed XcodeGhost was found to be embedded in hundreds of iPhone and iPad apps, although it is unclear if it has proved to be a serious security threat.
Hackers embedded the code into apps through a modified version of Apple’s Xcode development tool. The tainted version was distributed from a server in China, which promised faster downloads than Apple’s US servers.
Apple marketing chief Phil Schiller told Chinese news site Sina that the company will offer domestic downloads of Xcode within China in hopes of preventing further attacks.
The number of apps affected is uncertain, with some reports putting the number in thousands. But it was also suggested that malware was similar to adware, rather than a posing a greater security risk.
Chinese security firm Qihoo360 Technology found that affected apps included versions of car-hailing app Didi Kuaidi and Tencent’s popular messaging app WeChat.
A statement by Tencent said that there was “no theft and leakage of users’ information or money, but the WeChat team will continue to closely monitor the situation”.
Bitdefender spokesperson Andrei Taflan told Mobile World Live the infection “is the first large-scale incident to ever make it through the Apple walled garden.”
Human error in the form of developers running tools downloaded from third parties paired with lack of proactive countermeasures – in-depth review upon approval and advanced anti-malware on users’ terminals – were at the core.
He also said that for years, Apple users dismissed the idea of third-party security solutions, “claiming that the iOS ecosystem is so well designed that they are practically immune to threats”.
However, he warned that iOS is the second largest mobile operating system in the world and hackers are constantly improving their tactics.
Commenting on why it has a security solution for Android but not Apple, Taflan said “Apple is too restrictive as the owner of its ecosystem in order to properly develop a security solution that will do something for real”.
“Since a third party developer is not able to perform static and dynamic analysis of the apps available in the store, we cannot speak about effective protection.”
Radu Dumitru, director of product management at Bitdefender, explained that while Apple “does a better job than Google” when it comes to curating apps, it is entirely possible for hackers to infect an app once it has cleared Apple’s checks, because Apple does not have access to the source code.
And adware is not without its problems. Bitdefender’s Taflan explained that there are two issues.
Firstly, it collects a lot of user details and sends them to a third party server which may not be properly secured and encrypted.
Secondly, adware kits are developed, used and managed by different entities and it is very easy “to use an adware platform to launch a phishing campaign or other attack”.
Dumitru added that in order to keep apps free, users are tempted to agree to let adware collect personal details, complicating the situation, because it means security firms’ hands are tied.