Malware found in dozens of Apple apps

Credit: 360b/Shutterstock.com

Hackers created a malicious version of a tool used by app developers, who were then tricked into downloading and using it to build legitimate apps.

Such apps would then contain malware which could steal data from their users and send it back to machines also controlled by the hackers.

The majority of apps and devices affected are in China but some are popular globally.

Among them are a version of the social and messaging app WeChat, and CamCard, an app for scanning business cards and importing the information into a device's contacts.

Ghost in the code

On Sunday night, Apple confirmed they were removing numerous apps from the store following the attack.

Apple's App Store has previously been considered incredibly safe: the company takes great care to check every app submitted for usability, quality and security.

In fact, according to cyber security company Palo Alto Networks, there have been just five malicious apps ever found in the App Store before this attack.

It also helps that apps are built using Apple's own software, called Xcode - but it's the need to have this particular software that led to this attack.

The malicious version of the programme, XcodeGhost, was made available to developers on Baidu - China's answer to Google, Wikipedia and filesharing all in one.

Elsewhere in the world it would be simple enough to go direct to Apple to get the official version of the software. But the internet in China is subject to censorship, and connections to international servers are often slow and unreliable.

The latest versions of Apple's developer tools - Xcode 7 and Xcode 7.1 beta - are more than 3.5GB in size, and even trying to download them from Apple's servers in China can take a long time - leading some developers to try to download it elsewhere instead.

Once downloaded and installed, XcodeGhost would write malicious code deep into the developer's apps without them knowing - and in a way that seems to have snuck past Apple's own testers too.

As well as having removed affected apps from their store, Apple say they're working with developers to make sure their replacements are rebuilt using genuine code.

Password theft

There's a list of some of the infected apps available here - although it's worth bearing in mind that this list is far shorter than the more than 300 Apple say they've had to remove from the App Store.

The advice for anyone who thinks they may have one of the affected apps is to uninstall it immediately, and to reset any passwords stored on their iOS device, including that for their iCloud account.

That's because Palo Alto Networks say they believe the malware was designed specifically to phish for people's passwords and other sensitive information.

They cite a Chinese developer who was designing a simple app with no internet functionality or any need to access the iCloud. The developer said that during testing, the app would frequently ask for users to supply their iCloud passwords.

That said, Palo Alto Networks say they haven't detected any instances of data theft or other issues caused so far as a result of the attack.

Tencent, who make WeChat, say their initial investigations also show that no users have been affected by data theft or "leakage".

They say it's just one older version of WeChat, 6.2.5, that's been affected, and newer versions are perfectly safe.

What is of concern, however, is that this attack has shown that getting malware into what's been called the "walled garden" of the Apple App Store is indeed possible - and using a route that's difficult to defend against.

Mobile security

Our guides to staying safe online tend to focus on making sure our computers are up to date - and many of us simply assume our phones are more at risk of being stolen than being hacked somehow.

But security threats from inside our phones are just as big an issue - although until now, most of the attacks have been aimed at people with Android devices.

As with computers, one of the best ways to fend off malware attacks is to install and use a good security app such as those offered by Norton, Symantec and Avast - there are free, as well as paid for, versions.

Less obviously, but still vitally important with mobile devices, is the need to keep the operating system as up to date as possible.

As well as the big roll-outs, like the recently released iOS 9 - which appears to be causing Apple a different set of headaches - there are also smaller updates in the form of patches.

This year saw about 95% of Android devices vulnerable to attack following the discovery of some serious security flaws in one of the platform's media playback tools, called Stagefright.

All a hacker needed to gain access to a device was its phone number; using that to send a multimedia message containing malware to the device would enable them to access media stored on the phone, and to control audio and video recording.

From there, the malware could be used to gain access to other apps and programmes on the phone - including other personal and sensitive information.

Google released a series of patches to address the vulnerabilities over the summer, via device manufacturers - and they also sent out warning emails explaining how users could defend themselves by changing some of the multimedia permissions on their phones.

Frustratingly, there's very little else people can do to protect themselves against Stagefright if they've not yet received the patch.

Stay updated

The bad news for us as users is that if we hold off installing an update - for whatever reason - that can make us all the more vulnerable to attack.

Hackers can study the updates to find flaws in older versions of the operating systems - and then target those of us who haven't installed the update yet.

Upgrading may well affect the smooth running of some of our favourite apps at first - but while annoying, apps crashing are broadly preferable to a device being left vulnerable to hacks and other attacks.