XcodeGhost: infecting iOS apps at compile time

The last few days, the security community has been going nuts over a new malware discovered in the iOS App store, named XcodeGhost. This article will give an overview of how XcodeGhost works.

The traditional way of infecting mobile devices is by using a trojan horse mechanism. An attacker will create an app that looks legitimate, but contains some additional functionality that is not so innocent. An example of this is the "Find and Call" app, that infected both Android and iOS devices.

The XcodeGhost malware did not this method, but rather imbedded itself into legitimate apps, already trusted by end users. This was achieved by creating a modified, malicious version of Xcode, the tool used to develop iOS apps.

This modified version of Xcode was distributed via filesharing services (mainly Baidu). Since many developers, especially in China, have trouble downloading the legitimate Xcode from Apple's servers, this infected copy was soon used by many developers to compile their iOS apps.

This is where it gets interesting. The malicious version of Xcode contains a modified version of the iOS CoreServices - an object file containing many fundamental system services. Since any complex iOS app relies on CoreServices for functionality, the attackers had good chance of their modified object file ending up in legitimate apps.

The developers, not realising what had happened would submit their apps to the app store and many of the infected apps made onto the App store (currently it is estimated that around 4 000 apps has been infected). Since these were legitimate apps, they were downloaded and used by many users, even those savvy enough to avoid dodgy-looking apps. Some of the most high-profile apps that were infected is WeChat, WinZip and the NetEase Cloud Music App.

Running a malicious app
Once an infected app was opened on an iOS device, the malware would collect information, encrypt it and then upload it to a server. It also had the ability to receive commands from its Command and Control (C2) server.

The information collected included:

  • System time
  • Name of the app that has been infected
  • Infected app's bundle identifier
  • Device's name and type
  • System language and country
  • Device UUID
  • Network type

Decompiling the source code shows that the data is transmitted via HTTP after being encrypted using the DES algorithm in ECB mode. The encryption key can also be extracted from the source code. This suggests that the developers of the malware is not familiar with cryptography best practices.

After uploading the encrypted data to the C2 servers, the malware receives an encrypted JSON response containing any additional instructions that it has to execute. This suggests that the attackers intended to profile users based on the collected information, similar to the mechanism used in tracking cookies.

Analysis of infected apps suggests that the malware can be given commands to:

  • Create a fake prompt for user credentials. Comments from developers using the infected Xcode suggests that this has been used to phish iCloud credentials.
  • Hijack URLs based on their scheme (iOS allows apps to define custom schemes), giving the malware the ability to exploit vulnerabilities in iOS or other apps
  • Read and write data to the user's clipboard. This could be used to steal passwords, since many users using a password manager will copy their passwords to the clipboard and then paste them in the app


Since the malware has been detected, various companies have taken steps to fight it:

  • Baidu has removed the infected files from its service
  • Apple has issued an advisory, warning developers about using copies of Xcode obtained from third parties
  • Apple has issued instructions on how to verify that a copy of Xcode has not been tampered with
  • Amazon has taken the Command and Control servers running on AWS offline

Apple has also started removing infected apps from the App Store, but it appears that the number of infected apps is larger than originally estimated.