XCodeGhost malware resurfaces in U.S. businesses, targeting iOS 9
Wed 4 Nov 2015
Earlier this year, a malware under the name of XcodeGhost was discovered to have attacked apps from Apple’s App Store in China, including popular services such as instant messenger WeChat. Apple reacted by quickly removing the infected software and released security updates to prevent further risk. However, according to recent research from security experts FireEye, XcodeGhost has reappeared and has been found operating on iOS 9 devices.
FireEye claims that over the past month the malicious apps have infiltrated at least 210 business networks and have generated over 28,000 attempts at connecting to the malware’s Command and Control (CnC) servers.
Through these attacks FireEye suggests that it is possible for criminals to hijack traffic and distribute the infected apps to iOS devices outside of the App Store platform. Browsers can be forced to open URLs linking to app download pages or pop-up phishing windows.
The security company detailed that it has discovered XcodeGhost on mobile devices running on iOS versions 6 to 9. Although many app developers updated their offering to block XcodeGhost, there are still users who have not updated them which has given the malware a second shot.
“Some enterprises have taken steps to block the XcodeGhost DNS query within their network to cut off the communication between employees’ iPhones and the attackers’ CnC servers to protect them from being hijacked. However, until these employees update their devices and apps, they are still vulnerable to potential hijacking of the XcodeGhost CnC traffic – particularly when outside their corporate networks,” FireEye explained.
Highlighted as a persistent threat to organisations, particularly in the U.S., XCodeGhost has also birthed a variant known as XCodeGhost S – a nasty update which specifically targets iOS 9. The new version is able to skirt the latest OS’ Application Transport Security (ATS) tool which Apple introduced as extra protection against malicious activity on its mobile devices.