The rise of “XcodeGhost” over the weekend spurred plenty of conversation about app security, especially as the list of apps infected by the malware grew.
Eventually, Apple would be forced to remove the infected apps from the App Store altogether, and the Cupertino-based company would lay out groundwork on how it would improve app security moving forward, while also notifying users that they’ve installed infected apps and to let them know their next steps.
Now, according to researchers, by way of Ars Technica, there is still some good news (and bad news) as far as XcodeGhost is concerned. The bad news is that while the initial reports of infected apps included popular titles, and numbered upwards of 50 or more apps, those numbers were apparently lower than what was actually the number of infected apps in the iOS App Store, and the problem dates back to as early as April of this year.
The good news is that XcodeGhost doesn’t appear to be outright malicious, insofar that it doesn’t trick users to hand over their log-in credentials for apps, or even their iCloud information:
“XCodeGhost seems to be far more widespread than initially assumed,” researchers from security firm Appthority wrote in a blog post published Monday. “We were able to identify 476 affected apps for our customers from within our database–which is far more than the initial finding of around 40 apps would suggest.”
As far as the capabilities of XcodeGhost goes, here’s what the researchers at Appthority believe it can do:
- Shows an AppStore item within the app by using a SKStoreProductViewControllerDelegate
- Showing a UIAlertView and showing the AppStore view depending on which button was tapped
- Open a URL
- Sleeping for a given time
1. Sends requests to the server (using a fixed timer interval between requests)
2. The request contains all kinds of device identifiers (like a typical tracking framework)
3. The response can trigger different actions:
Moreover, and simply reiterating that XcodeGhost doesn’t aim directly for log-in credentials, the researchers went on to add that the malware does not contain any code to present a log-in prompt, or include any kinds of alerts that could be used to phish credentials from iOS users:
“The framework itself contains no code to display login prompts or alerts of any kind that could be used to phish credentials (the alert has no field for text input). The only way to launch a phishing attack using this framework would be to send the response to open a URL pointing to a malicious website.”
This echoes what Apple has said recently in their own statements.
You can find out if your iOS device is infected by XcodeGhost using Pangu’s new tool.
[via Ars Technica]
No comments:
Post a Comment