Palo Alto Networks posted an analysis of XcodeGhost, the first compiler malware in OS X. Its malicious code is located in a Mach-O object file that was repackaged into some versions of Xcode installers.
The primary malicious component in the XcodeGhost infected version is “CoreServices”. XcodeGhost implemented malicious code in its own CoreServices object file, and copies this file to a specific position that is one of Xcode’s default framework search paths. Hence, the code in the malicious CoreServices file will be added into any iOS app compiled with the infected Xcode without the developers’ knowledge.The malware-infected apps then send device information, potentially including credentials to several domains: crash-analytics[.]com, icloud-diagnostics[.]com and icloud-analysis[.]com.
[...] As of this writing, we see 39 iOS apps being infected, some of which are extremely popular in China and in other countries around the world, comprising hundreds of millions of users. This includes the popular WhatsApp clone WeChat.Tags: malware iOS
More from: researchcenter.paloaltonetworks.com
show/hide source |