The mode of attack that led to the first sustained breach on the AppStore is worrisome for enterprise users
Even as businesses are warming up to the idea of enterprise app stores and Apple iOS is considered to be one of the safest systems from security standpoint, an attack on Apple’s AppStore now raises serious questions about vulnerability of the system.
This is the first sustained security breach in the AppStore. Apple said it has already removed the malware-affected Apps from the AppStore. Apple acknowledged the breach after cybersecurity firms like Palo Alto Network gave details of how the malicious program, dubbed XCodGhost, managed to infect some Apps such as Chinese messaging Apo, WeChat; business card scanner App CamCard; and Chinese Uber rival DiDi Chuxing.
In a new style of attack, the hackers convinced some genuine App developers to use a counterfit version of Apple’s XCode tools used to create Apps on iOS and OS X. The malicious code spread through these counterfit XCode.
Cybersecurity research firm Palo Alto Network, in a post in its website, decoded the modus operandi of the attack and how the malware managed to spread. It said XcodeGhost is the first compiler malware in OS X.
“Its malicious code is located in a Mach-O object file that was repackaged into some versions of Xcode installers. These malicious installers were then uploaded to Baidu’s cloud file sharing service for used by Chinese iOS/OS X developers,” the cyber security firm explained.
While no major data theft seems to have occurred, there are reasons to worry, especially for enterprise users.
Here is why.
The malware targets the compilers used to create legitimate Apps. PaloAlto Network said this technique could also be adopted to attack enterprise iOS apps or OS X apps in much more dangerous ways.
While clarifying that XcodeGhost’s behaviors are not especially more severe or harmful as compared to other known compiler malware, the cyber security firm raised some genuine concerns, especially relevant for the enterprise users.
For example, a malware could be detected by Apple’s strict code review for Apps submitted for Apple’s consumer AppStore. But enterprise Apps designed for internal/closed system use do not go through that review process. So, any enterprise App that gets infected through the compiler/code tools could spread the malware in enterprise system. Palo Alto Network said an OS X app can also be infected, and lots of OS X apps are directly distributed via the Internet other than through the AppStore route.