XcodeGhost Malware and protecting your iOS devices

A new form of malware called XcodeGhost that impacts Apple iOS and OS X Apps was announced last week by the Unit 42 team at Palo Alto Networks. 

Xcode is a suite of iOS and OS X software development tools created and provided by Apple for developing software for Apple iOS and OS X. It was determined that the XcodeGhost malware was injected into Xcode (knowingly and unknowingly) by some developers who apparently downloaded Xcode from locations other than Apple, and embedded it in some legitimate Apps. Subsequently, these apps were posted to at the App Store, bypassed Apple’s code review, and were downloaded by innocent users. Although most of these apps were posted to the China App Store, some were found in other countries including the U.S.

The malware was disclosed by Chinese iOS developers and analyzed by Alibaba researchers. Unit 42 further analyzed XcodeGhost and determined that it can harvest data from an iOS device and upload that data to remote command and control (CnC) sites. In fact, Unit 42 found some download sites to have Xcode downloads as far back as long as six months ago, so the length of time that this has been in the wild is still unknown. Apple confirmed it took down down the infected apps.

How to protect enterprise data
As more details become available about XcodeGhost in the coming days and weeks, there are a number of detections and countermeasures that enterprises can use to protect your iOS devices and company networks using MobileIron's platform.

Here’s a quick checklist:

  • Review the list of known infected apps through the crowdsourced information here and check your MobileIron App inventory. Manually blacklisting all of these apps in MobileIron could be cumbersome, so review the rest of this checklist for alternative actions.
  • If applicable, use your App Reputation or mobile threat prevention (MTP) solution to perform a quick inventory of risky or malicious apps from the MobileIron console. Enterprises should strongly consider quarantining these devices using a MobileIron security policy. If you don’t use one of these App Reputation or MTP products today, checkout the MobileIron Marketplace
  • If you have in-house developed apps, upload, test, and vet out each app using one of the App Reputation or MTP products that allow you to upload your apps and review the results to identify anything nefarious. This is a standard app development best practice, so if you don’t do this today, consider adding it to your standard review process before distributing apps or updates to users.
  • Review the SANS blog that outlines some network analysis that you can perform including:
    1) Check your firewall and proxy logs for HTTP traffic to http://init.icloud-analysis.com
    2) Review their list of IP addresses in your firewall and proxy logs
  • In addition, you can take the SANS information and:
    1) Correlate the source IP addresses to your iOS device(s) - MAC address can be correlated to the MAC address listed in the MobileIron console to identify the offending device
    2) Quarantine any infected iOS devices using MobileIron’s security policy. Remember that this quarantine can automatically perform a selective or full wipe, as well as use your Sentry mobile gateway to block the offending device
    3) Change passwords for services accessed by the device
    4) Educate users. Publish a blog, web page, or email to raise awareness, and offer to identify nefarious behaviors or apps on their device.

We anticipate there will be further updates related to this malware. In the meantime, use your MobileIron console as the central hub for the identification and containment as outlined above. If you don’t use an App Reputation or MTP solution today, now may be the time to consider acquiring one. Many of these products are integrated into MobileIron and leverage their detection methods combined with MobileIron’s mobile quarantine capabilities. 

Michael T. Raggo