FAQ: Everything you need to know about the XcodeGhost App Store hack | Cult of Mac

FAQ: Everything you need to know about the XcodeGhost App Store hack


Pirate Flag
Steve Jobs' old mantra about "It's better to be a pirate than join the navy" probably wasn't on Apple's application form.
Photo: George Hodan/Public Domain Pictures

If you’re as confused as we were when we first heard about the major App Store hack over the weekend, we’re here to help.

Here’s a compilation of everything we know about the XcodeGhost story, and we’ll be updating it as more develops.

What is XcodeGhost?

The XcodeGhost hack represents the first widespread malware incident in the iOS ecosystem, and it uses Apple’s own architecture against it.

Xcode is Apple’s programming framework that developers use to create the apps you use and the games you play. And a modified version of this system is responsible for the issues we’ve been seeing today. XcodeGhost uses an older version of Xcode to introduce malicious functionality into apps without the developers even knowing it’s there. Any app made using the compromised version of Xcode is potentially compromised.

The bad Xcode … code got to developers via industry forums, Lookout reports. It was especially enticing to Chinese developers because they could download the Ghost version faster than the official one directly from Apple. They didn’t know it was modified, so when they used it to make their apps and submitted them to the App Store, the Ghost code stowed away inside of it.

What does XcodeGhost do?

XcodeGhost sits in the background of legitimate apps and mines them for data like an invisible person cheating on a test. Once the affected app launches, it starts picking. The stuff it looks for includes the name of the infected app, the app bundle identifier (a code specific to the developer and app set during submission), the device’s name and type, location and language info, network information, and the device’s “identifierForVendor” (a code that helps to connect apps from the same developer running on the same device).

Tabby Kitten
If you’d like a break from all of that tech-speak, here’s a kitten. And if you don’t need a break, here’s a kitten anyway.
Photo: Charles Rondeau/Public Domain Pictures

Once it has this information, Ghost sends it to an external server, security firm Palo Alto Networks says. As for what it does with this info? Palo Alto says that the malware has the ability to receive commands from the server which could result in forcing your iOS device to open web pages or create fake prompts to trick you into giving up your Apple ID and password. It could even possibly access data in your clipboard to steal passwords you have stored in a management app, Palo Alto says.

Which apps are affected?

Because of Ghost’s distribution through China-based developer forums, most of the infected apps are from that country. We’ve compiled a list of all of the known affected apps, so check there to see if you’re at risk.

What can you do?

You’re going to want to be proactive if you’re carrying one of these apps, so your first move is to delete any of them you currently have installed. You can also check out our guide of handy tips for more suggestions, like being sure you know where dialogue boxes are coming from and changing your Apple password just in case.

Skip initial Apple ID setup
Maybe you haven’t seen this in a while, but it could be time to revisit it.

Who did this?

We don’t know, but a post on code-sharing site GitHub by someone claiming to be XcodeGhost’s creator offers some possible answers. [Note: We’ve translated this text from Chinese using Google Translate and attempted to clean it up for clarity, so some translation errors may be present.]

First of all, I apologize for the confusion XcodeGhost has brought. XcodeGhost is from my own experiments, without any threatening behavior, as detailed in the source code.

The so-called XcodeGhost is actually hard to for unsuspecting iOS developers to find. A modified Xcode compiler configuration text file code can be loaded, so I wrote the code above to try and upload it to their network disk.

All data in the code actually acquires basic app information: application name, application version number, system version number, language, country name, developer, app installation time, device name, and device type. In addition, it does not gather any other data. I must confess that for selfish reasons, I used the advertising features in the code to promote these applications (you can confirm this in the source code). But in fact, from the beginning to the final shut down the server, I have not used the advertising function. And 10 days ago, I have taken the program off the server and removed all data, but that will not have any effect on anyone.

In order to put an end to the rumors, the so-called “XcodeGhost” was an ill-advised experiment, and it is now dead.

I wish to emphasize that XcodeGhost-infected apps will not affect any users and does not obtain private data, only a useless piece of code.

Again, I sincerely apologize and wish you a pleasant weekend.

XcodeGhost statement
Here’s the original text from the purported creator of XcodeGhost.
Photo: GitHub

Again, we don’t know that this statement is from the actual creator of the malware, but if it’s true, the hack shouldn’t affect any more apps going forward. We still advocate caution, however.

Does XcodeGhost affect apps in every App Store?

They're back, bigger and angrier than ever.
Those birds have one more reason to be angry. Not that they needed one.
Photo: Rovio Entertainment

The quick answer to this question is that it depends on the app. Isn’t that helpful?

For example, developer Rovio’s game Angry Birds 2 is listed among those affected, but the company claims that only certain versions have the vulnerability.

“Rovio can confirm that the Chinese build of Angry Birds 2, which was available only on the App Store in Mainland China, Taiwan, Hong Kong and Macau, was one of the iOS apps made vulnerable to the security issue,” Rovio said (via AppAdvice). “All other builds of Angry Birds 2 available in all other territories are completely safe and secure.”

So basically, if a developer outsourced the Chinese build of their app to a Chinese developer, then that particular version may have Ghost all up in it. And if the developer made all versions of their app with infected code they got from one of those forums, it will be in all versions. But if they got their Xcode directly from Apple, it’s safe.

We kind of have to go case-by-case on this, and it’s all pretty confusing. But just assume that if an app from the list above is on your device, it could be compromised.


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.