IOS – impact and removal of XcodeGhost

iosmalwareSecurityxcode

Unfortunately, I installed some of the apps mentioned on this list, and confirmed that the versions I have are still compromised by XcodeGhost: http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/

Of course, I have immediately removed them. But what I am concerned about is whether they have managed to hide the virus anywhere else in the system? The article doesn't explicitly address this, but did the virus manage to break out of iOS sandboxing?

Also, relatedly, does anyone know if the infected apps collected anything else besides those already reported by Palto Alto Networks?, e.g. texts, contact info, etc?

Current time Current infected app’s name The app’s bundle identifier
Current device’s name and type Current system’s language and country
Current device’s UUID Network type

It's already been reported here that the malware phishes for iCloud passwords: http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/

Best Answer

Since you aren't asking about OSX (that should be a separate question), I'll focus on the iOS ramifications. The apps created by the malicious Xcode installer can be cleaned up by deleting the apps.

The iOS sandbox wasn't compromised, just that the app review team didn't notice the bad behavior of the app.

What you did by running an "infected iOS app" was let the villains know your device UDID and probably the IP address your device had when it ran the app and self-reported.

There's no reporting to say that the iOS sandbox was compromised, so no emails, no texts, no passwords were compromised.

Apple has released confirmation that the code could not compromise iCloud and didn't leak anything except for the most general "an anonymous phone ran this app ping" which would needs lots of corroborating information to be a risk to anyone unless there were many extenuating circumstances.

How does this affect me? How do I know if my device has been compromised?

We have no information to suggest that the malware has been used to do anything malicious or that this exploit would have delivered any personally identifiable information had it been used.

We’re not aware of personally identifiable customer data being impacted and the code also did not have the ability to request customer credentials to gain iCloud and other service passwords.

As soon as we recognized these apps were using potentially malicious code we took them down. Developers are quickly updating their apps for users.

Malicious code could only have been able to deliver some general information such as the apps and general system information.

See https://archive.is/PWqMV (Archived copy of dead link https://www.apple.com/cn/xcodeghost/#english) for the full statement from Apple that includes a list of the affected apps.

(Well, a list of 25 of > 4000 affected apps, and the obviously false statement, given that the link is now dead, "We will update this page with more information as it becomes available.")

Related Question