In September some of the most popular Chinese-developed apps in the iStore were found to have malicious software embedded in them.
It turns out Chinese developers were fooled into using a compromised versions of Apple’s developer tool kit called Xcode. The affected apps are able to send data about the device, show fake alerts that steal passwords on Apple’s iCloud service and gain access to the device’s clipboard. The XcodeGhost also accesses websites that allow more viruses to infect the device.
Apple said that it has removed the infected apps from the App Store. They have also contacted the Chinese-based developers to make certain they have the proper versions of Xcode. However, the cybersecurity firm FireEye claims XcodeGhost is still active.
FireEye has detected a new version of the XcodeGhost, they are calling XcodeGhost S. The updated version of the malware supports Xcode 7 and iOS 9. It also can avoid being detected. XcodeGhost S avoids detection by masking its command and control server by assembling the URL of the server per character.
FireEye claims XcodeGhost S has penetrated U.S. companies and is a continuous security threat. FireEye has logged 210 companies infected by the XcodeGhost. The top two countries that XcodeGhost is attempting to call back to its command and control servers from are Germany and the United States.
FireEye also revealed that while the top industry affected is the education sector, the infections of the XcodeGhost cover a wide range of industries.