How a mobile app company found the XcodeGhost in the machine

Apple will facing increasingly clever attempts to sneak malware into the App Store

Nick Arnott couldn't figure out recently why Apple kept rejecting an update to a mobile app his company developed.

It turned out the problem was a ghost in the machine.

His company, Possible Mobile, is well versed in the App Store submission rules and has built apps for JetBlue, Better Homes & Gardens and the Major League Soccer.

The rejection came after it was discovered in mid-September that thousands of apps in the App Store had been built with a counterfeit version of an Apple development tool, Xcode.

The fake version, dubbed XcodeGhost and probably developed in China, had been downloaded by many developers from third-party sources, apparently because getting the 4GB code from Apple took too long.

apples xcode development tool Screenshot/Apple

Apple's Xcode tool is used for building applications for the company's devices.

Security researchers found that apps with XcodeGhost posed a privacy risk, as the apps could easily be configured to record data from people's devices and send it to a remote server.

The entry of more than 4,000 XcodeGhost-infected apps into the App Store marked one of the most successful breaches of Apple's stringent security checks, threatening to undermine the company's years-long efforts to keep the store free of malware.

After its app was rejected, Possible Mobile set out to find out why and detailed its efforts in a blog post.

Apple had indicated it had something to do with XcodeGhost. But Arnott and his team were stumped: The version of Xcode they were using was the legitimate one. They reinstalled fresh versions of Xcode on several machines, but Apple still rejected the app.

Making a mobile app is a bit like making sausage: A lot of code frameworks and libraries developed by other companies are used for functions like ad serving and video delivery.

Those frameworks often come as binaries, and developers have no visibility into what is actually in the source code, said Jay Graves, Possible Mobile's CTO, in a phone interview.

"Any of the top apps from top brands on the App Store are going to have something from a third party," Graves said.

Trying to figure out what is in a binary is what security researchers do, not app developers, Graves said. After scratching their heads, they guessed that the problem was probably in a third-party framework.

The framework had been compiled with a tainted Xcode version, and that code was subsequently incorporated into the app by Possible Mobile. After being alerted, the company that developed the framework fixed the problem and delivered a clean version, Graves said.

Apple can now detect apps infected with XcodeGhost. But there's already an improved version of XcodeGhost that tries to make it harder to analyze and detect.

"Every once in a while, you hear about something getting into the App Store that isn't supposed to be there," Arnott said. "But there's kind of an endless list of tricks that malicious developers can use to try to get this stuff past Apple's review process."

To figure out if the third-party framework was the culprit, Possible Mobile had used a command-line tool, grep, to find the URLs that XcodeGhost was programmed to contact, Arnott said.

"The problem with that sort of approach is once those strings change," Arnott said. "We don't necessarily have a solution for that."

The cat-and-mouse game will pose challenges for Apple and developers, Graves said. Apple's guidance can be vague when apps are rejected, probably to prevent attackers getting tipped off about Apple's security processes.

"This story is definitely not over," Graves said. "It's taken a while, but with the proliferation of mobile and iOS being a high-value target, they're seeing a lot more attention from the black-hat society."

Join the CSO newsletter!

Error: Please check your email address.

More about ApplePossible

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place