Last week, Chinese app developers disclosed that an Apple programming tool had been hijacked to trick developers into embedding malicious software into apps for Apple devices.
The malware, called XcodeGhost, works by corrupting Apple’s Xcode software, which runs on Mac computers and compiles source code into apps that can run on iPhones, iPads, and other devices, before submitting them to the App Store. If a developer has XcodeGhost installed on their computer, apps that they compile include malware without the developer realizing it.
Although XcodeGhost is the first malware to spread this way in the wild, the techniques it uses were previously developed and demonstrated by Central Intelligence Agency researchers at the CIA’s annual top-secret Jamboree conference in 2012. Using documents from NSA whistleblower Edward Snowden, The Intercept‘s Jeremy Scahill and Josh Begley described the CIA’s Xcode project in a story published in March.
Security firm Palo Alto Networks has published detailed technical analyses of the malware. At least 50 apps have made it into the App Store with this malware, including WeChat, one of the world’s most popular messaging apps, with hundreds of millions of users, primarily in Asia. Apps infected with XcodeGhost malware are capable of popping up fake alerts asking for credentials, such as the user’s iCloud password; reading what has been copied to the clipboard, such as passwords from password manager apps; and exploiting other parts of iOS. It’s not clear who is behind the malware or if they are based in China.
The CIA’s campaign to attack the security of Apple devices included creating a malicious version of Xcode to sneak malware into apps, without the developer realizing. As we reported in March:
The researchers boasted that they had discovered a way to manipulate Xcode so that it could serve as a conduit for infecting and extracting private data from devices on which users had installed apps that were built with the poisoned Xcode. In other words, by manipulating Xcode, the spies could compromise the devices and private data of anyone with apps made by a poisoned developer — potentially millions of people.
Today, Apple has published instructions for developers to verify that the version of Xcode they have installed is the official one.
> XcodeGhost is the first malware to spread this way in the wild
You meant to say “the first malware known to spread this way”, I’m sure.
“It’s not clear who is behind the malware or if they are based in China.”
I take it that “China bashing” is a real thing here at the Intercept.
lol – as a young woman I always asked before dating: Do you have a Macintosh computer? No was a no go.
So you purposefully sought out men with lower IQ’s.
Well done.
Windows users have to be smarter as Windows is harder to use and secure.
So you are correct.
@expatz @gaius You two are a couple of tacos short of a fiesta. What does a choice of tool have to do with IQ? gaius, you do know that 95% of windows users don’t have a clue as to what they are doing or how to secure’ their obviously faulty windows machines. what a couple of knuckleheads you two are. Sheesh.
For years, friends and colleagues told me that their apple products can’t be infected. As I am not a techie, I could not prove them wrong, even as I would receive spam emails from their infected computers. Finally, you have set the record straight and I thank you.
Your friends and colleagues are no more techies than you are. That any particular company’s products cannot be cracked is a myth, which has its basis in the fact that Microsoft was the exclusive first target for the malware and cracking community. There are probably several reasons for this, but the most important one is that Microsoft dominates the desktop market. Since Apple products dominate or nearly dominate the smart phone market, it is to be expected that they would become the number one target in that domain.
Over and over again The Intercept has featured simple guidelines for reducing your personal vulnerability to these threats. I suggest you read them.
Encryption should be the standard for every business in the world, but especially for those in the U.S. We can’t do anything about the past but we should try to prevent mistakes in the future. The government will just have to learn to live with it.
Oh, Xi!!! You naughty, NAUGHTY boy! Nice thing to have PLA Unit 61398 plant in advance of meeting with Obama. You’ll attribute it to the CIA and point to your ineffectual “code of conduct” agreement, which, of course, you will violate within 24 hours or less. Not to mention the staggering level of “student” operatives you have attending U.S. Institutions of Higher Education. You do, indeed, put the NSA to shame, Xi.
Am I wrong about this – is it not the case that all our data EVERYTHING is out there and available – that it is being sucked up perhaps by thousands of entities right now – that nothing can stop this from happening – that the skills and soft/hardware necessary are held by millions of tech workers world wide – than the number of people and the availability of tools to hack and spy is growing by the week?
Is it not the case that the internet and digital technology generally is a huge monster, out of anyone’s control?
Even now, supermarket chains can tell if a woman is pregnant before she knows herself, FB can determine your mood on any given day – or so it has been reported.
What will someone or some entity do with this information? As the Ashley Madison disclosure showed, anyone with a petty grievance and adolescent morality can ruin lives easily, what will happen to people’s lives when unknown sources have this kind of information?
Let’s get back to the point, blueba. It’s not some adolescent perpetrating this act of piracy on our privacy, it’s the NSA! The KGB & the Stazi could have only dreampt of this kind of assault on its own citizenry.
My point was not that the NSA et al are not spying on an industrial scale. The point I was trying to make is that the expertise and tools for spying are spreading all over the place and becoming cheaper. In addition, millions of people now know how to use the technology to spy or just release private data for purely personal reasons. Of course they can’t do what NSA can do but, as in the Ashley Madison case, they can hit a store of data anywhere and release that data for purely personal reasons.
My point is that there is a huge sea of data and millions who can access it if they choose. Every key stroke make on a computer connected to the internet without using Tor or really really strong encryption now must be thought of as public information because so many people can access it.
The data is out there and indelible and the ease of access becomes more wide spread all the time as more students of technology acquire the skills.
Only a matter of time, and here we learn what comes back at us. After all the backdoors and malware they set loose the only question now is how many of those chickens come back to the roost, carrying what avian viruses.
I’m not buying any apps this week, certainly. Great for US business, ain’t it?
Amplifying what you have suggested on an individual level, perhaps it might be useful for large numbers of people, who otherwise might be buying apps up the wazoo, to actively and verbally boycott Apple apps for a while, loudly blaming the CIA/NSA malware and hacking for the boycott. This might do some minor damage to Apple’s profits, and possibly to their recent reputation as standing up for privacy and citizens rights, and also act as an initial economic reprimand to Apple and similar corporations, such as those mentioned here:
https://www.youbetrayedus.org/?t=dXNlcmlkPTU0ODU2NTI0LGVtYWlsaWQ9OTk5Mg==
which according to this site, are supporting the NSA/CIA-pushed “Cybersecurity Information Sharing Act” (CISA). It guarantees them all sorts of immunity from prosecution, and access to information collected by these agencies, in return for turning over private user data to the same criminally abusive espionage agencies.
For further details and arguments against the bill and its sponsors, see
http://cyberlaw.stanford.edu/files/blogs/technologists_info_sharing_bills_letter_w_exhibit.pdf?t=dXNlcmlkPTU0ODU2NTI0LGVtYWlsaWQ9OTk5Mg==
For the offer to betray customers, and their privacy and security, by the officers of a number of web/software-related corporations see
http://www.bsa.org/~/media/Files/Policy/data/09142015CongLeadershipDataAgendaLetter.pdf?t=dXNlcmlkPTU0ODU2NTI0LGVtYWlsaWQ9OTk5Mg==
The “US being a critical leader with a proud history of rule of law and individual rights” would be utterly hilarious if it were not so hypocritically frightening.
That these activities, combined with the initiation of the CIA/NSA’s “Stuxnet” and “Flame” attacks, and possible or actual blowback from these, see e.g.
http://allthingsd.com/20120704/born-on-the-4th-of-july-will-there-be-collateral-damage-in-cyberwar/
and similar acts of cyber warfare waged by the US agencies, as well as the wholesale turnover, by US based telecoms, of staggering amounts private customer data, will in any way “promote trust in the digital economy” as this letter suggests at its close, is utterly ludicrous.
No trust, CIA MKULTRA continues on every scale.
Bastards.
FBI STASI also.
elwood, you might not understand what was going on here, but Apple isn’t the person / company you want to “punish”.
Apple didn’t play any part of this and wasn’t distributing the tainted version of xCode. The developers (Chinese mostly) using it downloaded it from a non Apple site – to get around going directly through Apple.
The reason the CIA was trying to corrupt Apple’s xCode surreptitiously (previously), is because Apple wasn’t rolling over and being a “partner” with govt agencies like Microsoft has done (whom you’ll find no documents talking about govt targeting their compiler whose programs reside on 95% of the PC market, cause they’ve been a great “partner” to the NSA).
http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data
When Hacking Team (a morally corrupt company that sold PC / smartphone hacking tools to Govt agencies and other bad actors throughout the world) was hacked and its email and software was released it was found that Apple iPhone’s (iOS 7 & 8) required physical access to the phone to compromise it (which was not the case for Android, Windows Phone and Windows PC’s). This isn’t to say iOS doesn’t have vulnerabilities, it does, but Apple does the best job of the main vendors to keep it locked down (and have a history of not being friendly with the the U.S. government) – the fact that Android and Windows Phone’s security update process is broken for today’s security environment is another reason to avoid those platforms (except for Google Nexus Phones) if security is a concern to the user (explained below, which is sad as I have Windows Phone).
When Goodle or Microsoft makes a security update for their mobile OS’s (this is different than updates for Microsoft Windows on PC’s) they have to hand each update off to each cell phone vendor who, for the most part doesn’t release it for their phones (cause hey they want you to buy a new one & don’t want to spend the money on doing this), but the phone vendor must create that patch for each phone version separately and then hand that off to the cell network provider if the customer bought the phone from one (alot here in the U.S.) to create a separate patch and release it for their version of the phone which they rarely if ever do (because hey, they want to sell you a new one)…leading to a bunch of vulnerable smartphones that never get security updates. Apple gives security updates through its newest iOS versions for 5 years now (the iPhone 4s is support in iOS 9) after you purchase a smartphone. Google Nexus phones (bought directly from Google and not a cell phone provider) also stay updated (not up to 5 years yet…just 3 years back to the Nexus 4) cause Google controls the updates and doesn’t hand them off to a cell network provider…
http://arstechnica.com/gadgets/2015/08/waiting-for-androids-inevitable-security-armageddon/
http://arstechnica.com/security/2015/09/attack-code-exploiting-androids-critical-stagefright-bugs-is-now-public/
Excellent comment. Perhaps a partial boycott slowing profits would cause these billion dollar companies to use their lobbyists to make the politicians they own to clamp down on the NSA, CIA. FBI, etc in their rape of our private information.
Thank you for posting. Two weeks ago I deleted all my apps and began using the factory reset feature of my iphone on a daily basis after noticing strange things that began happening after I installed the facebook app. I am warning everyone I know about this.
Realizing that I am making myself vulnerable to heaps of abuse for being a dinosaur, might I suggest that others follow the practice I use, which is to not use smart phones? I’m happy to report that I am still using my 2G phone, obtained 20 years ago last month. Although the NSA is listening to my calls, they don’t have access to any personal data, and can only crudely track me.
All the information I consider critical (SSN, bank information, credit information, health information, and my creative work) is held exclusively on a computer that has no modem or network card. It also has added measures to suppress conducted or radiated emissions. I suggest others do likewise.