Blog :: Security Operations

Detecting iPhone Malware

Is your company detecting iPhone malware that is brought into the internal network?  At least 39 iPhone apps found on the Apple Apps Store were infected by XcodeGhost.  These applications apparently made it past Apples code review process and impacted hundreds of millions of iOS users!

detecting iphone malware

Once code is compiled with the infected Xcode, it creates its own CoreServices object file and implements extra code in UIWindow class and UIDevice class. Almost every iOS app utilizes UIWindow.  When an infected app is executed, either in an iOS Simulator or on iOS devices, the malicious code collects system and app information.  Stolen details include:

  • Current time
  • Current infected app’s name
  • The app’s bundle identifier
  • Current device’s name and type
  • Current system’s language and country
  • Current device’s UUID
  • Network type

Once XcodeGhost has the above information encrypted it is uploaded to a C2 server through the HTTP protocol. The following three C2 domain names have been involved:

  • http://init.crash-analytics[.]com
  • http://init.icloud-diagnostics[.]com
  • http://init.icloud-analysis[.]com

Some C2 servers were hosted by Amazon Web Services and have since been taken down.

The infected iOS apps include IMs, banking apps, mobile carrier’s app, maps, stock trading apps, SNS apps, and games.  The malicious code that XcodeGhost embedded into infected iOS apps is capable of receiving commands from the attacker through the C2 server to perform the following actions:

  • Prompt a fake alert dialog to phish user credentials;
  • Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps;
  • Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.

According to one developer’s report (see references below), the XcodeGhost malware could be altered and used to launch phishing attacks in an attempt to prompt a dialog asking victims to input their iCloud passwords.

Plixer has updated the domain file which is downloaded by all FlowPro Defender installations.  If the domains listed above are requested, a message is sent to Scrutinizer for further processing and notification.  FlowPro Defender also monitors all DNS requests to and from all devices on the network and sends events for suspicious activities.  Contact the Plixer team to learn more.

Sources: (1)(2)(3)