As word spread in China over a rare breach of Apple’s normally secure iOS mobile platform in the country, security experts and the country’s official media moved quickly to squelch a claim that the episode was a harmless prank.
The Cupertino, California-based company said that some the most recognizable Chinese iOS offerings available in the App Store were recently infected with malicious code capable of spying on devices and stealing Apple passwords. The breach came about because Chinese developers were using an unofficial, infected version of Xcode, Apple’s developer tool kit, the company said.
China’s state broadcaster China Central Television put the total number of affected apps at around 350, including massively popular ones like the WeChat messaging app and the Didi ride-hailing app, in a segment that aired Sunday.
Apple says it has deleted the affected apps and was working to ensure developers used proper versions of Xcode. The company didn’t address whether customer data was stolen or discuss possible motives for the breach – dubbed Xcode Ghost by security researchers.
On Sunday, an account named XcodeGhost-Author on China’s Weibo social-media platform claimed to be behind the malware and apologised. The Weibo user or users said the malware was an “accidental discovery” that was distributed as “a one-time, mistaken experiment.”
The message said the user inserted code that would have allowed the pushing of ads to devices but that the function was never exploited. The message added that the malware collected only basic data. “And 10 days ago, I actively shut down the server and deleted all the data, so it will not have any effect on anyone,” it said.
It was impossible on Monday to verify the account’s claim. But China’s official media took it seriously and moved to pour cold water on it. “The entire process was plotted and planned,” mobile Internet security expert Lin Wei told CCTV.
CCTV pointed to several steps taken by the hacker that it said reflected nefarious intent.
Mr Lin told CCTV the compromised Xcode was advertised and distributed across the Chinese Internet in a methodical way, using multiple anonymous Internet accounts over the course of half a year.
Meanwhile, the security response center at social-media and gaming giant Tencent Holdings released its own findings. Tencent makes WeChat. It said that multiple versions of the infected Xcode were being advertised on several forums.
The Tencent report, also published Sunday, said of the 5,000 most downloaded apps in the App Store, 76 were found to be infected by the Xcode Ghost malware.
CCTV said that the bogus Web domain the malware used to siphon off stolen data appeared specifically designed to hoodwink users into believing it was connected with Apple’s iCloud service.
Information security expert Cai Jingjing confirmed to CCTV that the malware was capable of pushing pop-up ads to devices. The economic benefits of pushing those ads to tens of millions of affected users were potentially enormous, Mr. Cai said.
–Yang Jie and Josh Chin (Wall Street Journal)