XCodeGhost - pervasive hack of Apple’s Xcode developer toolkit

October 8, 2015 | Garrett Gross

As users, we all put a lot of trust in developers of software that we use every day. Just think about how much sensitive information traverses networks (and even out to the internet) via web browsers, financial management platforms, secure file storage software, etc. Would you use any of these applications if they were known to include backdoors allowing for remote access and/or second-stage malware delivery?

Of course you wouldn’t…

Most major developers and publishers test their software and try to ensure that their products reach their end users free of any tampering. However, there is a known malware delivery method that involves infecting the compiler, the piece of software that translates source code into something your computer can use. This allows for some malware to evade detection by the publisher since, in most cases, the compiler is ‘trusted’.

Researchers have recently uncovered an extremely pervasive hack of Apple’s Xcode developer toolkit. This involves infecting the compiler with malware and then passing that malware onto the compiled software. Once the malware establishes a foothold on the victim’s machine, it has the ability to phish user credentials via fake warning boxes, open specific urls in the device’s web browser, and even scrape the clipboard (especially dangerous when you copy/paste from your password management tool). While this functionality may seem limited, there is no telling what the future holds for XCodeGhost. As we saw with CoreBot, relatively simple data stealers can evolve into fully operational banking trojans almost overnight. Also – its not the current feature set that should alarm security experts, it’s the ability to fool publishers like Apple, known for their extreme scrutiny when publishing software to their app store.

Since XCode is one of the main tools used to produce Apple software for both Apple PCs and iPhones, this could potentially impact millions of users. At this point, PaloAlto Networks has identified nearly 40 infected applications on the iOS (iPhone) platform alone[1]

Impact on you

  • Stolen credentials allow for attackers to access potentially sensitive information, putting you and your company at risk. When coupled with a lax password policy where credentials are shared among users or across systems and client data is stolen, the damage done could be devastating.
  • Recent variants have demonstrated the ability to phish open urls and passwords through applications by using fake dialog boxes (i.e. login prompts). In these infected apps, it is nearly impossible for users to distinguish between legitimate and bogus entry fields.

How AlienVault Helps

AlienVault Labs continues to perform cutting edge research on threats like these, collecting large amounts of data and then creating expert threat intelligence as a result.The Labs team has already released IDS signatures and a correlation rule to the AlienVault Unified Security Management (USM) platform so customers can identify activity related to this exploit:

  • Exploitation & Installation, Trojan infection, XCodeGhost

For further investigation into XCodeGhost, visit the Open Threat Exchange (OTX) and see what research members of the community have done:



[1]Source: http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/

Garrett Gross

About the Author: Garrett Gross

Garrett Gross has always had an insatiable appetite for technology and information security, as well as an underlying curiosity about how it all works. Garrett has over 15 years of professional experience in information technology, filling several roles: systems administration, network engineering, product marketing, technical support, and helpdesk. In his current role in field enablement, he uses his experience to help managed security service providers be successful in evangelizing and operationalizing AlienVault USM.

Read more posts from Garrett Gross ›


Get the latest security news in your inbox.

Subscribe via email


Watch a demo ›
Get price Free trial