FAQ: How Users and IT Administrators Can Detect and Dump Malware-Ridden iOS Apps (Updated)



Update (9/23/2015): The scope of the XCodeGhost infection is far larger than was initially thought. According to security firm FireEye labs, the total number of infected apps has risen to over four thousand.

The iOS App Store this week suffered its first major attack – and the first one to affect non-jailbroken devices. Hackers distributed an infected version of Apple’s Xcode development tool, allowing them to sneak malware past the iOS App Store’s approval process. The security threat, known as XcodeGhost, is suspected to have compromised hundreds of legitimate apps and could potentially impact hundreds of millions of users.

Security firm Palo Alto Networks, which first uncovered the attack, has published a list of apps currently known to be infected – though there are likely more that have yet to be uncovered. The list includes a number of popular consumer applications, including WeChat.

In response, we created an easy-to-understand how-to guide for users and IT managers on what they can do to protect themselves against this threat.

For End Users

How Can I Tell If I’m Infected?

As of late Monday September 21st, no solutions have emerged letting users automatically scan their iPhones or iPads for the XcodeGhost malware, according to Scott Ashdown, BlackBerry Director of Product Management. “For the time being, however, the best you can do is check your application logs.”

In particular, check the servers that your apps are communicating with. These are suspect IP addresses identified by the security researchers at The SANS Institute:

Date IP AS
2015-07-17 AMAZON-AES – Amazon.com, Inc.,US
2015-05-14 AMAZON-AES – Amazon.com, Inc.,US
2015-05-13 AMAZON-AES – Amazon.com, Inc.,US
2015-04-29 AMAZON-02 – Amazon.com, Inc.,US
2015-04-15 AS-26496-GO-DADDY-COM-LLC – GoDaddy.com, LLC,US


Also check your HTTP logs for traffic to http://init.icloud-analysis.com, another possible indicator that your apps are infected. There are a number of free tools that allow you to do so. You can also check Palo Alto’s list of infected apps, which is constantly being updated.

What Do I Do If One Of My Apps Is Compromised?

Your first step is to delete any infected applications immediately. Second, change your device passwords, particularly your iCloud password, and others used directly with the app. After that, get in touch with your IT administrator to let them know what’s happened. They can run an additional check on traffic logs to ensure your device is completely clean – and to detect whether there are any other compromised users on the network. Also, wait until the developers have uploaded clean versions of their apps to the App Store before downloading them again.

How Can I Protect Myself In The Future?

Aside from always keeping your applications up to date and installing security software to your device, BlackBerry Director of Mobile Security Alex Manea suggests fine-tuning application permissions, and paying close attention to how much freedom you’re allowing each of your installed apps.

“When installing an app, pay attention to the permissions it asks for, and see if they make sense. Does your turn-by-turn navigation app need access to GPS? Of course it does. But why would a poker app be asking for it?” explains Manea. “Some platforms, such as BlackBerry 10, also let you disable individual permissions and still run your apps.”

For IT Administrators

What Does The Malware Do, Exactly?

Update (9/23/2015): Upon further study of XCodeGhost, security firm Appthority has determined that it is capable of the following:

  1. Sending requests to a C&C server, with a number of device identifiers (similar to traditional tracking frameworks).
  2. Receive a response from the server, which can contain the following commands:
    • Show an AppStore item within the app by using a SKStoreProductViewControllerDelegate
    • Show a UIAlertView and show the AppStore view depending on which button was tapped
    • Open a URL
    • Sleep for a certain amount of time

According to Palo Alto Networks, which first uncovered the attack, XcodeGhost works by inserting malicious code into approved applications on the App Store. Infected apps function normally, save for one small detail: they begin to collect information on the devices, reporting it to a central command-and-control server. The attack, warns the firm, could be adopted to attack enterprise applications in “more dangerous ways.”

What Should I Do To Detect And Root Out An Infection?

Follow the advice in this SANS Institute blog post, and monitor your apps for any suspicious traffic. In particular, keep an eye out for connections to http://init.icloud-analysis.com, or to any of the IP addresses listed below.

Date IP AS DShield Score (Target/Count)
2015-07-17 AMAZON-AES – Amazon.com, Inc.,US 0/0
2015-05-14 AMAZON-AES – Amazon.com, Inc.,US 0/0
2015-05-13 AMAZON-AES – Amazon.com, Inc.,US 0/0
2015-04-29 AMAZON-02 – Amazon.com, Inc.,US 0/0
2015-04-15 AS-26496-GO-DADDY-COM-LLC – GoDaddy.com, LLC,US 0/0

Should you detect any suspicious traffic, contact the compromised user and remove their device from your network until it can be cleaned of malware. In addition, if your organization employs any internal iOS developers, it would be best to touch base with them and ensure none of them inadvertently wound up with the compromised Xcode package.

How Can I Keep My Organization Safe In The Future?

“The best way for admins to protect against malware is through effective separation of work and personal data,” explains Manea. “By using secure containers on a secure platform, you can ensure that apps downloaded by the user have no access to enterprise apps or data.”

BES12 with Secure Work Space provides the perfect means to accomplish this.

BE12 provides administrators with single-screen management of their entire mobile infrastructure, including applications, devices, and users. It seamlessly manages multiple device types, including iOS, Android, BlackBerry and Windows Phone, and offers support for multiple deployment models, allowing unprecedented flexibility in mobile usage. Finally, it’s backed by end-to-end security provided through BlackBerry’s renowned network.

Secure Work Space, meanwhile, offers enterprise-grade containerization with a consumer-level user experience. Usable on both Android and iOS, it features a full suite of integrated productivity tools and applications, transparent certificate-based authentication, and the ability to quickly lock down compromised devices to prevent them from infecting the network.

About Nicholas C. Greene

Nicholas C. Greene is a technology writer based in Calgary, Canada. An English graduate of the University of Calgary, he's written for publications and organizations such as VPN Haus, Streetwise, Northcutt, and The Coolist.

Join the conversation

Show comments Hide comments
+ -
blog comments powered by Disqus