Support Us

© THE INTERCEPT

ALL RIGHTS RESERVED

Terms of Use Privacy

Apple’s App Store Got Infected With the Same Type of Malware the CIA Developed

XCodeGhost tricks developers into releasing apps infected with malicious software — a technique pioneered by the CIA and described by <em>The Intercept</em> six months ago.

Support Us
A customer passes an Apple store where the latest version of the Apple iPad went on sale in Apple stores in Shanghai on July 20, 2012. Apple began selling the latest version of its market-leading iPad in China, on the heels of Apple paying 60 million USD to end a dispute over the iPad name in China, giving the US tech giant more certainty in selling its tablet computer in the huge market. AFP PHOTO / Peter PARKS (Photo credit should read PETER PARKS/AFP/GettyImages)
Photo: AFP/Getty Images

Last week, Chinese app developers disclosed that an Apple programming tool had been hijacked to trick developers into embedding malicious software into apps for Apple devices.

The malware, called XcodeGhost, works by corrupting Apple’s Xcode software, which runs on Mac computers and compiles source code into apps that can run on iPhones, iPads, and other devices, before submitting them to the App Store. If a developer has XcodeGhost installed on their computer, apps that they compile include malware without the developer realizing it.

Although XcodeGhost is the first malware to spread this way in the wild, the techniques it uses were previously developed and demonstrated by Central Intelligence Agency researchers at the CIA’s annual top-secret Jamboree conference in 2012. Using documents from NSA whistleblower Edward Snowden, The Intercept‘s Jeremy Scahill and Josh Begley described the CIA’s Xcode project in a story published in March.

Security firm Palo Alto Networks has published detailed technical analyses of the malware. At least 50 apps have made it into the App Store with this malware, including WeChat, one of the world’s most popular messaging apps, with hundreds of millions of users, primarily in Asia. Apps infected with XcodeGhost malware are capable of popping up fake alerts asking for credentials, such as the user’s iCloud password; reading what has been copied to the clipboard, such as passwords from password manager apps; and exploiting other parts of iOS. It’s not clear who is behind the malware or if they are based in China.

The CIA’s campaign to attack the security of Apple devices included creating a malicious version of Xcode to sneak malware into apps, without the developer realizing. As we reported in March:

The researchers boasted that they had discovered a way to manipulate Xcode so that it could serve as a conduit for infecting and extracting private data from devices on which users had installed apps that were built with the poisoned Xcode. In other words, by manipulating Xcode, the spies could compromise the devices and private data of anyone with apps made by a poisoned developer — potentially millions of people.

Today, Apple has published instructions for developers to verify that the version of Xcode they have installed is the official one.

Contact the author:

micah.lee@theintercept.com micah.01 on Signal @micahflee@infosec.exchange on Mastodon @micahflee.com on Bluesky

Latest Stories

Join The Conversation