iOS malware, XcodeGhost, infects millions of Apple Store customers
Authored by a Symantec employee
iOS apps popular mainly in China have been infected with a piece of malware that can steal your data, and even get you to reveal things like usernames and passwords via phishing. The malware, called XcodeGhost, was discovered by Chinese iOS developers, after it was able to find its way into legitimate Apple Store apps, including WeChat, a popular IM application.
What does XcodeGhost do?
Once the user downloads the infected app, this particular piece of malicious code uploads the device and app information to its command and control (C2) server. The attacker can send commands through this command and control server, telling it to perform actions such as:
- Creating fake phishing alerts to steal your username and password
- Reading and writing data on your device’s clipboard, which could uncover your password if it is copied from a password management tool
- Hijacking your browser to open specific URLs, which could lead to being able to take advantage of existing bugs in the iOS system, or other iOS apps
How to stay protected
Researcher PaloAlto Networks identified 39 infected apps, including:
- WeChat (IM app)
- Didi Chuxing (a popular ridesharing app in China)
- Railway 12306 (the only official rail ticket purchasing app in China)
- China Unicom Mobile Office (used by the largest mobile carrier in China)
- Tonghuashun (a popular Chinese stock trading app)
If you have any of the apps listed above on your device, make sure that you do the following:
- Update your app as soon as possible, or delete the app and wait for a new version of the app to be made available
- Change your Apple ID password (here's how)
- Watch out for any suspicious emails or push notifications to your device asking for your Apple credentials, or any personally identifying information
Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.
Norton by Symantec is now Norton LifeLock. LifeLock™ identity theft protection is not available in all countries.
Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec logo, the Checkmark logo, Norton, Norton by Symantec, LifeLock and the LockMan logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the United States and other countries. App Store is a service mark of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution Licence. Other names may be trademarks of their respective owners.