As of Oct. 6, about 20 iOS devices (iPhone and iPads) at the University of Delaware have been found to be infected with “XCodeGhost” malware.

On Sept. 18, Palo Alto Networks reported that over three dozen iOS apps, including WeChat, had been compromised by being written or updated using an unauthorized version of Apple’s Xcode Integrated Development Environment (IDE). Apps developed using this unauthorized IDE, XcodeGhost, have introduced vulnerabilities into these apps that the owner of an iPad or an iPhone might trigger.

Since the vulnerability was first introduced in several apps developed in China, it took several weeks for the vulnerability to be seen here in Delaware.

As Varun Kohli indicated in the SkyCure blog on Sept. 28,

Attackers trying to gain access to sensitive information on Apple devices can not simply use private APIs without restrictions: end users still needs to approve the actions.

Given that Apple’s safeguards are still applicable to XcodeGhost apps, attackers know that they can leverage the human factor to their advantage. Apple users tend to universally trust the apps approved by Apple for their App Store, and might hit “Accept” without much or any hesitation. For example, Apple users would likely not think twice about allowing an IM app that seems to be acting normally to access their contacts. Another approach might be to simulate a request of collecting credentials such as Apple ID or other Personally Identifiable Information (PII) and gain access to other resources.

In other words, be careful what requests you approve on your iPhone or iPad.

Remediation Steps

  1. See if your iOS device has any of the apps listed by Palo Alto (including the list they added from Fox-IT, a Dutch security firm).
  2. If you have any of these apps on your device, remove them. (Note: Palo Alto reports that TenCent has updated WeChat to a safe version (6.2.6). If a vendor indicates that its app has been updated to protect against this vulnerability, you may update the app.)
  3. Change your password on the device.
  4. Change your password for any app on your device, even those not on the list of affected apps.
  5. Some security experts are advising that you restore the device to its factory settings.
  6. And, as always, Think B4 U Click!