Apple has said it is taking steps to remove malicious code
added to a number of apps commonly used on iPhones and
iPads in China.
It is thought to be the first large-scale attack on Apple's
App Store.
The hackers created a counterfeit version of Apple's
software for building iOS apps, which they persuaded
developers to download.
Apps compiled using the tool allow the attackers to steal
data about users and send it to servers they control.
Cybersecurity firm Palo Alto Networks - which has analysed
the malware dubbed XcodeGhost - said the perpetrators
would also be able to send fake alerts to infected devices to
trick their owners into revealing information.
It added they could also read and alter information in
compromised devices' clipboards, which would potentially
allow them to see logins copied to and from password
management tools.
Infected applications includes Tencent's hugely popular
WeChat app, NetEase's music downloading app and Didi
Kuaidi's Uber-like car hailing app.
Some of the affected apps - including the business card
scanner CamCard - are also available outside China.
"We've removed the apps from the App Store that we know
have been created with this counterfeit software," said
Apple spokeswoman Christine Monaghan.
"We are working with the developers to make sure they're
using the proper version of Xcode to rebuild their apps,"
said Christine Monaghan.
On its official WeChat blog , Tencent said the security issue
affected an older version of its app - WeChat 6.2.5 - and
that newer versions were not affected.
It added that an initial investigation showed that no data
theft or leakage of user information had occurred.
Analysis: Dave Lee, North America technology reporter
In Apple's walled garden App Store, this sort of thing
shouldn't happen.
The company goes to great lengths, and great expense, to
sift through each and every submission to the store. Staff
check for quality, usability and, above all else, security.
The Apple App Store is generally considered a safe haven
as the barrier to entry is high - there's only been a
handful of instances of malware found on iOS apps,
compared to Google's Play store which for a while was
regarded as something of a "Wild West" for apps (until
they introduced their own malware-scanning system too).
It makes this attack all the more surprising, as it looks like
two groups of supposedly informed people have been caught
out.
Firstly developers, who security researchers say were duped
into using counterfeit software to build their apps, creating
the right conditions for the malware to be applied.
And secondly, Apple's quality testers, who generally do a
very good job in keeping out nasties, but in this case
couldn't detect the threat.
Developers targeted
The malware was initially flagged by researchers at the
Chinese e-commerce firm Alibaba.
It discovered that the hackers had uploaded several
altered versions of Xcode - a tool used to build iOS apps -
to a Chinese cloud storage service.
Then, about six months ago, the attackers posted links to
the software on several forums commonly visited by Chinese
developers.
"In China - and in other places around the world -
sometimes network speeds are very slow when downloading
large files from Apple's servers," explained Palo Alto
Networks in a follow-up blog.
"As the standard Xcode installer is nearly three gigabytes,
some Chinese developers choose to download the package
from other sources."
It added that potentially hundreds of millions of users
might have been affected.
Apple does have a security tool - called Gatekeeper - that
is designed to alert users to unauthorised Mac programs
and stop them from being run. However, it appears the
developers must disabled the facility, allowing them to
create iOS apps with XcodeGhost.
Sense of security
Despite the many news headlines about the breach, one
expert said he did not forecast a major impact on the sale
of Apple products.
"It is definitely embarrassing for Apple but the reality is
that malware is a persistent problem since the days of PCs
and the problem will multiply as the number of mobile
devices explodes from 1.4 billion units in 2015 to 1.8 billion
in 2020," Wee Teck Loo, head of consumer electronics at
market research firm Euromonitor International, told the
BBC.
In fact, consumers are less cautious on mobile devices than
on PCs, he added.
"In emerging markets like China or Vietnam, mobile devices
are their first connected product and security is taken for
granted," he said.
"Consumers in emerging markets are also less protective of
privacy and security issues."
Earlier this month, login names and passwords for more
than 225,000 Apple accounts were stolen by cyber-thieves in
China.
It was uncovered by security firm Palo Alto Networks while
investigating suspicious activity on many Apple devices. It
found a malicious software family that targets jailbroken
iPhones.
The majority of people affected were in China.
No comments:
Post a Comment