Malware-Infected iPhone Apps: What You Need to Know

News broke late yesterday (Sept. 20) that Apple had instituted an emergency cleanup of its App Store after learning that many apps may have been corrupted to harvest users' personal data.  But don't panic! Here's what you need to know.

What's going on with iPhone apps?

An unknown number of iOS apps, mostly written by Chinese developers, were pulled from the Apple App Store yesterday (Sept. 20) over suspicions their security might have been compromised.

Yikes! Does that mean there were malware or viruses in the App Store?

Sort of. These apps were not created to be malicious, but they are far from secure. They could send personal details about an iPhone or iPad user, such as browsing history or passwords, to a remote server controlled by parties unknown. They could also be used to create fake login alerts to force the user to re-enter his or her Apple account password, or download data from malicious Web addresses.

Does that mean hackers have taken over the App Store?

No. The attack happened much further upstream in the app-development process.

What do I need to do to protect my iDevice from this threat?

Make sure you download apps only from the Apple App Store, and not from any third-party repositories. Set up two-factor authentication for your Apple and iCloud accounts; that way, anyone trying to log in from an unfamiliar device will need a code texted by Apple to your phone. And don't jailbreak your iPhone -- that's a really bad idea.

Which apps were affected?

We don't have a complete list, but there's a partial list containing dozens of apps here.

Did the Chinese app developers create these corrupted apps deliberately?

It doesn't look that way.  The developers were probably as much in the dark as anyone else.

Why did Apple let the corrupted apps into the App Store?

They apps looked fine to Apple's vetting team. Apple approved the apps and gave them Apple's own digital certificate of approval, which meant they could be installed on any iPhone, iPad or iPod Touch.

Does this affect the security of my iPhone?

Yes, although you're at less risk if you don't use any apps created in China. Most of the potentially malicious apps were created in China, but among them is WeChat, which has an estimated 500 million users worldwide.

So what exactly happened?

In March, someone fiddled with Apple's free software development kit (SDK), XCode, and put a corrupted version of Xcode's installer on a Web server operated by Chinese Web giant Baidu. Then the word spread that the corrupted Xcode installer was faster to download than the official installer housed on Apple's own servers. Because the Xcode installer can take a long time to download (it's nearly 3GB in size), a lot of Chinese developers downloaded the corrupted version.

How would a corrupted SDK affect apps made with it?

A corrupted SDK essentially poisons the well. Any app created with it could contain hidden code that undermines the security of the app.

When did this come to light?

According to Santa Clara, California-based Palo Alto Networks, Chinese iOS developers last week noticed that apps using the corrupted version of XCode were sending data to a mysterious Web address. On Thursday (Sept. 17), Palo Alto Networks put up a blog posting detailing its own investigation into the corrupted SDK, which Chinese researchers had already dubbed "XCodeGhost."

Is the corrupted version of Xcode still available?

Baidu has removed it from its servers. But there are doubtless many copies floating around the Chinese part of the Internet.

Who would deliberately poison Xcode?

Criminals or spies. Criminals could use the corrupted apps to harvest personal information from Apple users, including Apple account usernames and passwords, which they could then use to buy free stuff. Spies would use that same information for intelligence purposes.

Could spies be behind it?

Yes. In March 2015, the online magazine The Intercept posted very interesting documents provided by NSA/CIA turncoat Edward Snowden. The documents indicated that Sandia National Labs, a U.S. government research lab run by defense contractor Lockheed Martin, had been working on an Xcode compromise that would have produced results very similar to what Palo Alto Networks saw.

How similar?

At a CIA-sponsored computer-espionage conference in 2012, Sandia presented a talk entitled "Strawhorse: Attacking the MacOS and iOS Software Development Kit."

The synopsis of the presentation said that the "whacked" version of Xcode could "create a remote backdoor" in "MacOS" (sic) applications, "embed the developer's private key in all iOS applications" [i.e., a backdoor] and "force all iOS applications to send embedded data to a listening post."  The synopsis also said Sandia had found a way to install keylogging software in OS X.

Was that Strawhorse program successful?

We don't know.

So the U.S. government is behind this?

Not necessarily. The earliest uploads of XCodeGhost to Baidu's servers were in March, just a few days after The Intercept published its story about Strawhorse March 10. Someone could have read the story and stolen the idea.

Why didn't anyone check back in March to see if any apps were compromised after The Intercept published its story?

Many developers probably did. But it looks like some Chinese ones didn't.

What happens next?

All developers of iOS and OS X software will be checking their code to make sure that it doesn't contain elements introduced by corrupted versions of Xcode. Apple will likely look at the software uploaded to the OS X App Store, since XCodeGhost could have affected that too.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.