Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/21/2015
06:55 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

XcodeGhost Another Crack In Apple's Circle of Trust

On the heels of KeyRaider's attack on jailbroken iPhones, attackers show they can hit non-broken devices too, sneaking 39 weaponized apps onto the official App Store and around Apple's best efforts to lock down its developer environment.

Although Apple's closed development environment has largely succeeded in keeping the App Store relatively free of malicious Mac and iOS apps, Apple's borders have begun to show some weak spots. XcodeGhost, detailed by Palo Alto Networks, is the most recent example, and the most critical.

XcodeGhost is a Trojanized version of Apple's application development software, Xcode. Attackers uploaded it to Chinese cloud storage service Baidu Yunpan -- a regional, third-party alternative to the Apple Store where download times are shorter for iOS and Mac developers in China. Innocent app developers then used XcodeGhost to write apps and upload them to the App Store, never knowing that those apps were malicious.

In this way, 39 iOS apps were weaponized, including WeChat, one of the most popular instant messaging applications in the world, thus impacting hundreds of millions of users worldwide, according to Palo Alto. It also infected banking, stock trading, gaming, and other apps.

[By 2020 there will be 25 billion Internet of Things devices...all full of vulnerabilities. What can we do to solve the problem now? Don't miss the next episode of Dark Reading Radio, "Fixing IoT Security," this Wednesday, Sep. 23 at 1 p.m. Eastern Time.]

The malware payload itself uploads device and app info to the command-and-control server, can receive commands from the C2 server that will issue fake alert messages to social engineer users into entering credentials, "hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps," and "read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool." It's also been seen phishing for users' iCloud passwords.

Yet it's not XcodeGhost's payload that security experts find interesting; it's what it means for the security of the Apple development environment.

"One very interesting aspect of this incident is that that the developers of the apps had no knowledge that their own code was being used to carry malware," says Chris Wysopal, CTO and CISO of Veracode. "It was the modified development environment, Xcode, that introduced the payload."

Last month at the Black Hat conference, Synack researcher Patrick Wardle unveiled exploits that circumvent Gatekeeper, Apple's mechanism for preventing unsigned code from running on iOS and Mac. Yet, that was a proof-of-concept exploit by a researcher, not an attack in the wild.

Just three weeks ago, a new family of iOS malware, KeyRaider, stole 225,000 legitimate Apple accounts. Yet, Apple's official verification process remained relatively unscathed, because KeyRaider only affected devices that have been jailbroken.

Conversely, XCodeGhost is in the wild and it affects supported iOS devices, not just jailbroken ones. 

The XcodeGhost attackers found weaknesses in the Apple verification system. First, they took advantage of the fact that some app developers do not use the official App Store to download Xcode.

"Due to internet restrictions and longer download times, people in China are used to using local services" like Baidu Yun Pan, says Lancope vice president of threat intelligence Gavin Reid. "This should be a wakeup call for software developers to really pay attention to their source materials. Mostly US and European developers download Xcode directly from Apple, making a repeat of the same problem unlikely.”

Using a regional service to download Xcode is just one of several risky behaviors app developers regularly undergo, according to Tod Beardsley, security research manager at Rapid7. "The success of XCodeGhost illustrates that skipping certificate checks and acquiring untrusted software," by disabling or bypassing Apple's Gatekeeper code-signing validation tool, "is a fairly normal practice, even for established software companies with millions of users," he says. 

"The important thing to stress is that these behaviors don't usually lead to major compromises of developer security," says Beardsley. "Most of the time, this risky behavior doesn't end up causing any harm at all. Skipping certificate checks is a lot like jaywalking; most of the time, everything turns out fine. It's not that developers are dumb and don't know the risks; they simply consider the risk extremely unlikely, and if it's slightly more convenient to ignore one or two security best practices, they will proceed accordingly."

Wysopal says this case shows that developers need to start paying more attention to security. "Analyzing the compiled code for vulnerabilities and malware using technologies such as binary static assessment and behavioral analysis to detect if malware has been injected between development and distribution should be mandatory before apps are ever published,” he says.

Paco Hope, Software Security Consultant at Cigital says the process needs to begin earlier. "Analyzing binaries after they are built or penetration testing web and cloud apps after they are deployed provides limited assurance against vulnerabilities that are egregious and obvious," he says. "Secure software begins earlier, like when it is designed and developed. And there are no silver bullets—no tools that simply take care of the problem so that the people don’t need to do it themselves. It is important to incorporate security throughout the development process, right down to the provenance and selection of the development toolchain itself.”

Of course, attackers didn't actually need to involve third-party app developers at all. As Palo Alto reported:

XcodeGhost disclosed a very easy way to Trojanize apps built with Xcode. In fact, attackers do not need to trick developers into downloading untrusted Xcode packages, but can write an OS X malware that directly drops a malicious object file in the Xcode directory without any special permission.

Nevertheless, Beardsley has an optimistic viewpoint. "Given that little damage was done, this event was effectively a drill that provided a valuable object lesson in risky decision making. Ultimately, XCodeGhost may help influence more secure behavior and provides an incentive for Apple to make sure that regional distributions of core programming tools are at least as easy to use as their ad-hoc counterparts.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.