14 DAY TRIAL // The XcodeGhost malware that infected iOS apps using a repackaged version of Xcode has now evolved to support Xcode 7 and iOS 9 and has also spread to infect users in more and more US organizations.
This discovery has been made by FireEye researchers, who have dubbed this new version of the malware XcodeGhost S, in reference to Apple's most recent iPhone model, 6s.
According to FireEye, this new version of XcodeGhost has been explicitly updated to cover the new features and functions added in iOS9, but also features a new mechanism to help it avoid detection.
More specifically, XcodeGhost S was modified to avoid a limitation for HTTPS communications, which became mandatory in iOS 9 and hampered XcodeGhost's C&C server transmissions.
The malware now uses a special exception to this rule, allowed by Apple for special cases, which lets XcodeGhost avoid using mandatory HTTPS connections when sending or receiving orders from its C&C server.
Additionally, to avoid static detection-based security tools, XcodeGhost now employs a novel technique to mask its C&C server. Instead of having its location hardcoded somewhere in its code, XcodeGhost S now assembles the URL, character by character.
One app infected with XcodeGhost S already taken down from the App Store
According to FireEye, at least one new app infected with XcodeGhost S was detected on the App Store, and the company cooperated with Apple to have it taken down. The app's name is "自由邦" and is a shopping app for the US and Chinese users.
Besides the new variant, FireEye has also noticed older versions of XcodeGhost making their way into US enterprises.
Most infected organizations are in the educational, high-tech, manufacturing, telecom, e-commerce, retail, and financial sectors.
"Although most vendors have already updated their apps on [the] App Store, this [...] indicates many users are actively using older, infected versions of various apps in the field," the FireEye team concludes.
