The iOS app store has traditionally been viewed as a safe source of apps, thanks to Apple’s policing of its walled garden. However, that is no longer completely the case, thanks to the discovery of multiple legitimate apps in the iOS app store that contained malicious code, which was dubbed XcodeGhost.
So, how did XcodeGhost happen? Xcode (Apple’s toolkit for developing on their various platforms) has been a challenge for Chinese developers to download from official sources because of its size (multiple gigabytes) and the slow connection speed to Apple’s servers. (For Chinese users, access to sites within China is much faster than sites outside the country.) As a result, many Chinese iOS app developers did not download Xcode from official sources. Instead, they resorted to downloading copies that were hosted on local file-sharing sites and posted in various online forums:
Figure 1. Forum post advertising Xcode copies
Download and install Macs Fan Control from MacUpdate. Launch the app and you will then have access to the fans and be able to see the temperatures of the components inside your Mac. Under 'Control' click 'Custom' and you can then use a slider to change the fan control on your Mac'. What's new in Macs Fan Control. Here is the Control Strip Control Panel. You can show the Control Strip, hide it, define a hot key (I use cmd+F8) to show or hide it and change the font of the menus if you like. The modules which appear in your Control Strip are kept in a folder found in your System Folder named Control Strip Modules. Curiously, the OS doesn't provide you with. Explore the world of Mac. Check out MacBook Pro, MacBook Air, iMac, Mac mini, and more. Visit the Apple site to learn, buy, and get support. Set up access during the first Take Control connection. The first time you initiate the Take Control connection to the remote Mac running Mac OS 10.14, an Accessibility Access (Events) dialog displays. If the remote Mac is running Mac OS 10.15 and later, a Screen Recording dialog also displays. The dialogs only display one time per application. ControlPlane 1.6.1 fixes one more issue with the screensaver actions related to OS X 10.11. Get the latest version of ControlPlane by clicking the download link on the left or if you are already running ControlPlane choose ‘Check for updates’ Read more.
Unfortunately, these copies added a new CoreService development framework to replace the original which contained malicious code. As result, every app built with these tools contained the malicious code. The screenshots below show how a malicious URL was added into the code, which would be accessed by the apps created with the malicious tools. The first screenshot is from a modified version of Xcode 6.2; the other is from a modified version of 6.4. The modified version of 6.4 attempts to hide the malicious URL in order to confuse researchers and security software. (The latest version offered for download by Apple is Xcode 7, with a beta for 7.1 available as well.)
Figure 2. Modified version of Xcode 6.2
Figure 3. Modified version of Xcode 6.4
Infected Apps
Here are some of the apps which include the XcodeGhost code. However, due to the widespread use of these copies of Xcode downloaded from other sources, other apps may be affected as well. Do take note that the apps in bold text can still be found in the app store.
| BundleID | Version | AppLabel |
| com.51zhangdan.cardbox | 5.0.1 | 51卡保险箱 |
| com.cloud1911.mslict | 1.0.44 | LifeSmart |
| cn.com.10jqka.StocksOpenClass | 3.10.01 | 炒股公开课 |
| com.xiaojukeji.didi | 3.9.7 | 嘀嘀打车 |
| com.xiaojukeji.didi | 4.0.0 | 滴滴出行 |
| com.xiaojukeji.dididache | 2.9.3 | 滴滴司机 |
| com.dayup11.LaiDianGuiShuDiFree | 3.6.5 | 电话归属地助手 |
| sniper.ChildSong | 1.6 | 儿歌动画大全 |
| com.rovio.scn.baba | 2.1.1 | 愤怒的小鸟2 |
| com.appjourney.fuqi | 2.0.1 | 夫妻床头话 |
| com.autonavi.amap | 7.3.8 | 高德地图 |
| com.stockradar.radar1 | 5.6 | 股票雷达 |
| cn.com.10jqka.TheStockMarketHotSpots | 2.40.01 | 股市热点 |
| com.jianshu.Hugo | 2.9.1 | Hugo |
| com.wdj.eyepetizer | 1.8.0 | Eyepetizer |
| com.iflytek.recinbox | 1.0.1083 | 录音宝 |
| com.maramara.app | 1.1.0 | 马拉马拉 |
| com.intsig.camcard.lite | 6.5.1 | CamCard |
| com.octInn.br | 6.6.0 | BirthdayReminder |
| com.chinaunicom.mobilebusiness | 3.2 | 手机营业厅 |
| cn.12306.rails12306 | 2.1 | 铁路12306 |
| cn.com.10jqka.IHexin | 9.53.01 | 同花顺 |
| cn.com.10jqka.IphoneIJiJin | 4.20.01 | 同花顺爱基金 |
| cn.com.gypsii.GyPSii.ITC | 7.7.2 | 图钉 |
| com.netease.videoHD | 10019 | 网易公开课 |
| com.netease.cloudmusic | 2.8.3 | 网易云音乐 |
| com.tencent.xin | 6.2.5 | 微信 |
| com.tencent.mt2 | 1.10.5 | 我叫MT 2 |
| com.gemd.iting | 4.3.8 | 喜马拉雅FM |
| com.xiachufang.recipe | 48 | 下厨房 |
| cn.com.10jqka.ThreeBoard | 1.01.01 | 新三板 |
| com.simiao-internet.yaodongli | 1.12.0 | 药给力 |
| com.gaeagame.cn.fff | 1.1.0 | 自由之战 |
Pushing Apps
Faced with pressure, the XcodeGhost author has since released a letter of apology, along with the source code. Looking into the code, we found that aside from leaking information, the code can remotely push apps. Victims will be directed to the designated app in the app store. In addition, XcodeGhost can also be used to send notifications to the user, which can be used for malicious purposes such as fraud and phishing.
Figure 4. Snippet of released source code
Affected Countries and Regions
Based on our monitoring, we found that China is the most affected country. However, the North American region was also hit hard by XcodeGhost. This isn’t that surprising, considering that several apps that are known to have been infected are available outside of China.
Mac Os Download
Figure 5. Affected countries
Trend Micro detects apps that contain this malicious code as IOS_XcodeGhost.A.
Update as of September 24, 2015, 12:00 P.M. PDT (UTC-7)
In addition to Xcode, we also observed that the Unity library in iOS has also been infected by malicious code named UnityGhost. Unity is a third-party development platform for creating 2D and 3D multiplatform games. The platform is not only used in iOS devices, but on Android, Windows, and Mac OS X systems as well. Consoles like Playstation, and Xbox may also be affected.
In this scenario, the library, libiPhone-lib-il2cpp.a-armv7-master.o was infected with the same tactics, but is connected with different command and control (C&C) servers.
Figure 6: UnityGhost has the same tactics seen in XcodeGhost (seen in Figure 2) but with a different C&C server
As of this writing we have not been able to find apps infected by UnityGhost on any other platform, including Android.
The Unity platform costs a hefty $75 a month for the professional version, which may have prompted cybercriminals to scour through forums in order to download cracked versions. The screenshot below shows that the cracked version is being distributed by the same XcodeGhost author.
Figure 7: Cracked versions of Unity are being distributed by the XcodeGhost author
Hat tip goes out to the Alibaba Mobile Security Team for sharing the UnityGhost sample.
The Control Strip is really a shortcut to your control panels and other frequently adjusted items. Saving you the time of going to the Apple Menu and fully opening a control panel to make changes. It's that expandable bar that you ought find towards the bottom of your screen (if you don't see it check here). It's full of icons which might give you an idea as to which control panel it might control.
If you click and hold on one of the icons or Control Strip Modules (CSMs) a menu will popup allowing you to modify the Control Panel's settings. Here I have clicked on the Sound Control Panel. From here you can adjust the system sound level with much less effort than opening the full Control Panel.
By clicking on the nose of the Control Strip you 'iconify' and dock it to the edge of the screen, keeping it out of the way and saving desktop real estate when not in use. When you want to access it again you only need to do is again click on the nose and it will again expand.
Notice the arrows next to the nose and the close box (at the opposite end), when they are dark gray that means that the Control Strip has modules which are not showing. You can drag the nose to expand the length of the strip or click on the gray arrow to scroll the modules.
You can move your Control Strip to any part of the screen you would like. If you hold the option key while clicking on the nose you will be able to drag the Control Strip to where you want it. As you drag it you will see it's outline move. You can also move it to either side of your screen.
You can also reorder the modules by option-clicking on one of the module icons and dragging it to the position you wish.
Here is the Control Strip Control Panel. You can show the Control Strip, hide it, define a hot key (I use cmd+F8) to show or hide it and change the font of the menus if you like.
The modules which appear in your Control Strip are kept in a folder found in your System Folder named Control Strip Modules. Curiously, the OS doesn't provide you with a disabled folder to keep those modules you don't care or need to use. There are many CSMs that are for PowerBooks and won't even show up if you are not using one. But not everyone uses File Sharing or Remote Access so where are you supposed to store them in case sometime in the future you find a need for them?
I created my own CSM Disabled Folder to put those CSMs I don't care to use right now. I also created another folder (Control Strips Not) that I put those PowerBook modules which I really don't want to trash yet.
Mac Os Versions
As you may have noticed I have a few modules in some of the snapshots above that include some modules that you don't have. There are many 3rd party CSMs available to do many functions that you might want easy access to, a launcher or calendar. To add a module to your Control Strip all you need to do is download the CSM and put it in the Control Strips Modules Folder and then restart your Mac.