苹果app出事了.

贵圈

政府都对党
注册
2014-10-21
消息
32,808
荣誉分数
6,137
声望点数
373
Alto Networks指出,骇客修改了苹果专为Mac OS X与iOS所设计的Xcode程式开发环境,制作出植入恶意程式让中国开发商下载使用,导致许多不察的开发人员利用该版本写出有毒的App,目前已知受感染的程式包括了微信、网易、腾讯等,受影响的用户估计数以亿计。

Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store
POSTED BY: Claud Xiao on September 17, 2015 4:00 PM

FILED IN: Malware, Threat Prevention, Unit 42
TAGGED: Apple, Baidu, iOS, KeyRaider, OS X, Weibo, Xcode, XcodeGhost

UPDATE: Since this report’s original posting on September 17, two additional XCodeGhost updates have been published, available here and here.

On Wednesday, Chinese iOS developers disclosed a new OS X and iOS malware on Sina Weibo. Alibaba researchers then posted an analysis report on the malware, giving it the name XcodeGhost. We have investigated the malware to identify how it spreads, the techniques it uses and its impact.

XcodeGhost is the first compiler malware in OS X. Its malicious code is located in a Mach-O object file that was repackaged into some versions of Xcode installers. These malicious installers were then uploaded to Baidu’s cloud file sharing service for used by Chinese iOS/OS X developers. Xcode is Apple’s official tool for developing iOS or OS X apps and it is clear that some Chinese developers have downloaded these Trojanized packages.

(UPDATE: Following notification by Palo Alto Networks of malicious files hosted on their file sharing services, Baidu has removed all of the files.)


XcodeGhost exploits Xcode’s default search paths for system frameworks, and has successfully infected multiple iOS apps created by infected developers. At least two iOS apps were submitted to App Store, successfully passed Apple’s code review, and were published for public download.

This is the sixth malware that has made it through to the official App Store after LBTM, InstaStock, FindAndCall, Jekyll and FakeTor.

XcodeGhost’s primary behavior in infected iOS apps is to collect information on the devices and upload that data to command and control (C2) servers. The malware has exposed a very interesting attack vector, targeting the compilers used to create legitimate Apps. This technique could also be adopted to attack enterprise iOS apps or OS X apps in much more dangerous ways.

Distributing the Malicious Xcode Build
In China (and in other places around the world), sometimes network speeds are very slow when downloading large files from Apple’s servers. As the standard Xcode installer is nearly 3GB, some Chinese developers choose to download the package from other sources or get copies from colleagues.

By searching for “Xcode 下载” (Xcode downloading) in Google, in the first page of the search results (Figure 1), we found that six months ago someone posted Xcode download links to multiple forums or websites (including Douban, SwiftMi, CocoaChina, OSChina, etc.) that Chinese iOS developers frequently visit.



Figure 1. Google search results for “Xcode downloading” in Chinese

These posts provided links to download all versions of Xcode from 6.0 to 7.0 (including beta versions). All of the links direct to Baidu Yunpan, a cloud based file storage and sharing service.



Figure 2. Malicious Xcode shared in Baidu Yunpan

We downloaded these Xcode installers and found that all versions of Xcode between 6.1 to 6.4 were infected. When attempting to verify the installers’ code signing signature, it’s clear that some extra files were added into the Xcode (Figure 3).



Figure 3. Code signing verification shows some extra files in Xcode

Those additional files are listed below.

  • Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/Library/Frameworks/CoreServices.framework/CoreService
  • Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/Library/PrivateFrameworks/IDEBundleInjection.framework/
  • Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/Library/Frameworks/CoreServices.framework/CoreService
  • Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/Library/PrivateFrameworks/IDEBundleInjection.framework/
  • Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/Library/Frameworks/CoreServices.framework/CoreService
  • Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/Library/PrivateFrameworks/IDEBundleInjection.framework/
How the Attack Works
The primary malicious component in the XcodeGhost infected version is “CoreServices”. What is different from all previous OS X and iOS malware instances is that this file is neither a Mach-O executable, nor a Mach-O dynamic library, but is a Mach-O object file that is used by LLVM linker and can’t directly execute in any way. This abnormal file format will cause crashes or errors when analyzing it by format parsers like MachOView, 010 Editor (with Mach-O template) or jtool.

In iOS, the CoreServices contain many of the fundamental system services, and almost all complex iOS apps reply on it. When such an iOS app is compiled, Xcode will search for the CoreServices framework in some pre-defined paths to link with developer’s code.

XcodeGhost implemented malicious code in its own CoreServices object file, and copies this file to a specific position that is one of Xcode’s default framework search paths. Hence, the code in the malicious CoreServices file will be added into any iOS app compiled with the infected Xcode without the developers’ knowledge.

The malicious CoreServices file primarily implements extra code in UIWindow class and UIDevice class. The UIWindow class “manages and coordinates the views an app displays on a device screen”. Almost every iOS app has a UIWindow instance when it’s running.

When an infected app is executed, either in an iOS Simulator or on iOS devices, malicious code will collect some system and app information using its UIDevice AppleIncReserved method. The collected information includes:

  • Current time
  • Current infected app’s name
  • The app’s bundle identifier
  • Current device’s name and type
  • Current system’s language and country
  • Current device’s UUID
  • Network type


Figure 4. Collecting system and app information

Then, XcodeGhost will encrypt the information, and upload it to a C2 server through the HTTP protocol. From different versions of XcodeGhost, we found three C2 domain names:



Figure 5. Uploading stolen information to C2 server

Note that, the domain name “icloud-analysis.com” was also used by a sample in the iOS trojan KeyRaider we recently found.

Malware In the App Store
According to JoeyBlue in Sina Weibo, at least two famous apps were infected by XcodeGhost and successfully landed in the App Store. We have confirmed both.

We downloaded the NetEase Cloud Music App (com.netease.cloudmusic) from Apples App Store (China region). In its latest version (2.8.3), Info.plist shows that it was built with Xcode 6.4 (6E35b). In the main executable file, the malicious XcodeGhost code is present (Figure 7 and Figure 8).



Figure 6. Infected NetEase App in the Apple App Store



Figure 7. XcodeGhost Present in the Infected NetEase App



Figure 8. Decompiled XcodeGhost Functions in the NetEase App

Security Risks
Compiler malware is not a new idea. Starting with the first proof-of-concept written by Ken Thompson 31 years ago, real compiler malware has been discovered in many platforms. Compared with other iOS malware, XcodeGhost’s behaviors are not especially significant or harmful. This is why the code can pass App Store code review.

However, XcodeGhost disclosed a very easy way to Trojanize apps built with Xcode. In fact, attackers do not need to trick developers into downloading untrusted Xcode packages, but can write an OS X malware that directly drops a malicious object file in the Xcode directory without any special permission.

Additionally, although Apple’s code review for App Store submissions is very strict, some applications are never reviewed by Apple.If the iOS app is used by an enterprise internally, for example, it will be distributed in-house and won’t go through the App Store.In the same example, an OS X app can also be infected, and lots of OS X apps are directly distributed via the Internet other than App Stores.

In these situations, Xcode compiler malware can be much more aggressive and risky.

It’s difficult for iOS users or developers to be aware of this malware (or similar attacks) because it is deeply hidden, bypassing App Store code review. Because of these characteristics, Apple developers should always use Xcode directly downloaded from Apple, and regularly check their installed Xcode’s code signing integrity to prevent Xcode from being modified by other OS X malware.

Appendix
XcodeGhost file hashes

89c912d47165a3167611cebf74249f981a4490d9cdb842eccc6771ee4a97e07c CoreServices

b1f567afbf02b6993a1ee96bfdb9c54010a1ad732ab53e5149dda278dd06c979 CoreServices

f5a63c059e91f091d3f1e5d953d95d2f287ab6894552153f1cf8714a5a5bed2d CoreServices

2fde065892a8f1c9f498e6d21f421dbc653888f4102f91fc0fa314689d25c055 Xcode_6.2.dmg

c741af30aef915baa605856a5f662668fba1ae94a8f52faf957b8a52c8b23614 Xcode_6.4.dmg
 
苹果周日称它正从其应用商店内移除感染XcodeGhost的应用。恶意代码XcodeGhost通过第三方下载的Xcode编译器嵌入到了数百款合法应用中,其中包括流行的中国应用如微信和嘀嘀打车。在这之前,App Store只发现过5款恶意应用。苹果发言人 Christine Monaghan表示,他们正在与开发者合作确保他们使用官方版本的Xcode去构建他们的应用。安全公司的研究人员担心其他人可能会模仿XcodeGhost的做法。苹果没有透露究竟有多少应用被发现感染了XcodeGhost。iOS开发者从百度云盘等第三方下载Xcode的一个原因被认为是官网的下载速度太慢,而影响官网下载速度的因素除了CDN外就是防火长城和出口流量控制了。
 
苹果周日称它正从其应用商店内移除感染XcodeGhost的应用。恶意代码XcodeGhost通过第三方下载的Xcode编译器嵌入到了数百款合法应用中,其中包括流行的中国应用如微信和嘀嘀打车。在这之前,App Store只发现过5款恶意应用。苹果发言人 Christine Monaghan表示,他们正在与开发者合作确保他们使用官方版本的Xcode去构建他们的应用。安全公司的研究人员担心其他人可能会模仿XcodeGhost的做法。苹果没有透露究竟有多少应用被发现感染了XcodeGhost。iOS开发者从百度云盘等第三方下载Xcode的一个原因被认为是官网的下载速度太慢,而影响官网下载速度的因素除了CDN外就是防火长城和出口流量控制了。
我一直没搞明白象腾讯百度这样的公司,开发部门为什么要从第三方下载开发环境。。是嫌xcode不free还是第三方的IDE 有特别的地方?
 
我一直没搞明白象腾讯百度这样的公司,开发部门为什么要从第三方下载开发环境。。是嫌xcode不free还是第三方的IDE 有特别的地方?


是公司没有强有力的软件使用条例,公司员工都是自己随便搞, 这是多年来用盗版留下来的坏习惯,连免费软件也要百度个网站下载。
 
我一直没搞明白象腾讯百度这样的公司,开发部门为什么要从第三方下载开发环境。。是嫌xcode不free还是第三方的IDE 有特别的地方?
国内连JIRA都是盗版的,还是知名企业。苹果的app store在中国老抽风断连,是这些人从第三方下载xcode的原因之一。
 
国内连JIRA都是盗版的,还是知名企业。苹果的app store在中国老抽风断连,是这些人从第三方下载xcode的原因之一。
App Store 断连不是苹果的错,是长城防火墙
 
我一直没搞明白象腾讯百度这样的公司,开发部门为什么要从第三方下载开发环境。。是嫌xcode不free还是第三方的IDE 有特别的地方?
说是下载速度太慢,反正我是不信。
 
中国的手机杀毒服务商这回起作用了吗?
 
后退
顶部