Apple's App Store Suffers Major Hack Attack

[dgstorm]

Over the weekend, Apple engineers were busy cleaning up iOS after the first major, large-scale hacking attack hammered the iOS Apple App store. A number of malicious iPhone and iPad programs made their way directly onto the App Store.

Apple had to jump to work over the weekend after a number of cyber security firms reported a malicious program called XcodeGhost was found embedded in hundreds of legitimate apps. This marks the first time malicious software code made its way past Apple's strict app review process. According to Palo Alto Networks Inc, before this, only five malicious apps were ever found in the App Store. Here's a quote with more of the scary details,

"The hackers embedded the malicious code in these apps by convincing developers of legitimate software to use a tainted, counterfeit version of Apple's software for creating iOS and Mac apps, which is known as Xcode, Apple said.

"We've removed the apps from the App Store that we know have been created with this counterfeit software," Apple spokeswoman Christine Monaghan said in an email. "We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps."

She did not say what steps iPhone and iPad users could take to determine whether their devices were infected.

Palo Alto Networks Director of Threat Intelligence Ryan Olson said the malware had limited functionality and his firm had uncovered no examples of data theft or other harm as a result of the attack.

Still, he said it was "a pretty big deal" because it showed that the App Store could be compromised if hackers infected machines of software developers writing legitimate apps. Other attackers may copy that approach, which is hard to defend against, he said.

"Developers are now a huge target," he said." ~ Yahoo

Researchers identified several infected apps including: Tencent Holdings Ltd's <0700.HK> popular mobile chat app WeChat, car-hailing app Didi Kuaidi and a music app from Internet portal NetEase Inc. At least one mobile security firm (Qihoo360 Technology Co) claims that up to 344 apps were tainted with XcodeGhost. Apple has not yet declared how many apps it has uncovered with the malicious code.

When you are the biggest dog on the block, it basically paints a target on your back for the hackers of the world. Let's cross our fingers this will not be a trend of the future for iOS.

Source: Yahoo

 

[Kayayem]

It's a bit surprising that Apple hasn't taken steps to contact users who have downloaded the infected apps....so as it stand, if you have a tainted app, Apple knows you have downloaded it...and are going to just let you potentially compromise yourself further.

I do understand they may be wanting to shield the developers reputations.... I mean, if you had downloaded a tainted game, you're gonna think twice before downloading another from that same developer. That's an understandable reaction they probably want to avoid...but every minute one of those apps are running on our devices marks another minute we might log into our bank and lose everything (assuming that's the sort of info the malware can collect...)

 

[twerppoet]

Some 'possible' explanations:

One of the more extensive articles on the exploit said the current (installed) version of the malware didn't seem to be compromising any important data. That might be the reason. Even a tainted app would have a hard time getting access to another app's data. That means any data collected is most likely limited to data entered in the taineted app, and the infection method doesn't let the bad guys chose what data the app gathers. With only 36(8) known apps infected, there may be no critical, secure, private data at risk.

How much data can you steal from a solitaire game?

It's also possible that few if any of the infected apps are bing used. WeChat is the only one that's been called out by name, and only an older version of it is tainted. There are a ton of apps in the App Store that have few if any users. I suspect that the reason WeChat is mentioned is that it's the only semi-popular app affected.

Apple also has the ability to pull app directly off your phone. Or they did early on, and used it exactly once. Maybe they are doing that, though I've heard nothing of the sort. But if few of the affected apps are being used, it's possible no one has noticed.

As for shielding the developers, Apple has never shown concern for a developer's reputation in the past. If they are keeping quite it's because they are worried about the reputation of the App Store.

At this point we don't know enough to know if Apple is doing enough. It's possible that we never will.

 

[Kayayem]

Some 'possible' explanations:
...

Thanks..those are very good points I hadn't considered. I guess I was expecting the apps would have the ability to monitor activity or catch passwords on banking sites etc.

I am certain that if any of these apps offer in-app purchases, the app would definitely be able to catch your Apple credentials.


Here's what I found over at PaloAlto:

We checked these apps and list them below in this report. As of this writing, we see 39 iOS apps being infected, some of which are extremely popular in China and in other countries around the world, comprising hundreds of millions users.
The infected iOS apps include IMs, banking apps, mobile carrier’s app, maps, stock trading apps, SNS apps, and games.

Fox-IT (fox-it.com), a Netherlands based security company, checked all C2 domain names from our reports in their network sensors and has found thousands of malicious traffic outside China. According to their data, these iOS apps were also infected:
Mercury
WinZip
Musical.ly
PDFReader
guaji_gangtai en
Perfect365
PDFReader Free
WhiteTile
IHexin
WinZip Standard
MoreLikers2
CamScanner Lite
MobileTicket
iVMS-4500
OPlayer Lite
QYER
golfsense
ting
installer
golfsensehd
Wallpapers10000
CSMBP-AppStore
MSL108
ChinaUnicom3.x
TinyDeal.com
snapgrab copy
iOBD2
PocketScanner
CuteCUT
AmHexinForPad
SuperJewelsQuest2
air2
InstaFollower
CamScanner Pro
baba
WeLoop
DataMonitor
MSL070
nice dev
immtdchs
OPlayer
FlappyCircle
SaveSnap
WeChat
Guitar Master
jin
WinZip Sector
Quick Save
CamCard

 

[twerppoet]

Thanks for the information.

That's a more disturbing list than I thought it might be.

If Mercury is the Mercury Web Browser (there's more than one app named Mercury), that's a pretty big risk. A lot of web logins could be compromised.

I have OPlayer, though I haven't used it in ages, and didn't use it much when I did.

I'm not familiear with any of the others.

It's especially disturbing that they say some of these are banking apps. If find it appalling that a developer of a banking app would even consider getting Xcode from a file sharing site.

Anyway, I'm sure we're going to hear a lot more details about this over the next couple of days, whether Apple makes any more official announcements or not.

 

[Kayayem]

Thanks for the information.

That's a more disturbing list than I thought it might be.

If Mercury is the Mercury Web Browser (there's more than one app named Mercury), that's a pretty big risk. A lot of web logins could be compromised.

I have OPlayer, though I haven't used it in ages, and didn't use it much when I did.

I'm not familiear with any of the others.

It's especially disturbing that they say some of these are banking apps. If find it appalling that a developer of a banking app would even consider getting Xcode from a file sharing site.

Anyway, I'm sure we're going to hear a lot more details about this over the next couple of days, whether Apple makes any more official announcements or not.

Did you see the list dgstorm posted HERE? It's up to 85 apps...