In September 2015, researchers discovered malware affecting official iOS applications in China. The malicious code, known as XcodeGhost (detected by Symantec as OSX.Codgost), was found in unofficial versions of Apple’s integrated development environment, Xcode. Developers of iOS applications that used these unofficial versions of Xcode unknowingly allowed malicious code to be inserted into their official iOS applications.
Figure 1. XcodeGhost command-and-control URL
This week, a new variant of XcodeGhost was discovered. The variant has been found in unofficial versions of Xcode 7, which allows developers to create applications for iOS 9, Apple’s latest version of iOS.
Due to the large file-size of Xcode (over four gigabytes), some developers around the world have found unofficial downloads of Xcode hosted regionally for faster download speeds. While these may download faster, they are often unverified.
Unverified versions of Xcode, downloaded from unofficial sites, may contain malicious code, which can be inserted into any applications developed with these versions. Developers using these versions of the software may be putting their end users at risk without knowing it.
XcodeGhost should serve as a reminder to app developers to use official, verified versions of Xcode. Symantec recommends using official sources, such as Apple’s app store or Apple’s Developer website to download Xcode. However, if developers do choose to download Xcode from an unofficial source, they should validate their version of Xcode before developing applications with it.
Figure 2. Official download for Xcode in Apple’s App Store
Symantec and Norton products detect this threat under the following detections: