Apple’s App Store in China suffered a cyber security attack over the weekend after developers used a counterfeit version of Apple’s developer tool kit. The hack is unusual for the Cupertino, Calif.-based company, whose mobile platform is know for being considerably secure.
Josh Chin of The Wall Street Journal had the story:
Some of the most popular Chinese names in Apple Inc.’s App Store were found to be infected with malicious software in what is being described as a first-of-its-kind security breach, exposing a rare vulnerability in Apple’s mobile platform, according to multiple researchers.
The applications were infected after software developers were lured into using an unauthorized and compromised version of Apple’s developer tool kit, according to researchers at Alibaba Mobile Security, a mobile antivirus division of Alibaba Group Holding Ltd.
The list of recently compromised iPhone and iPad apps includes Tencent Holdings Ltd.’s popular mobile chat app WeChat, Uber-like car-hailing app Didi Kuaidi, and a Spotify-like music app from Internet portal NetEase Inc.
The attack affected more than three dozen apps, according to U.S.-based cybersecurity firm Palo Alto Networks Inc.
The infected apps can transmit information about a user’s device, prompt fake alerts that could be used to steal passwords to Apple’s iCloud service, and read and write information on the user’s clipboard, according to researchers.
Reuters reporter Jim Finkle showed how developers are becoming targets in attacks on cyber security:
Palo Alto Networks Director of Threat Intelligence Ryan Olson said the malware had limited functionality and his firm had uncovered no examples of data theft or other harm as a result of the attack.
Still, he said it was “a pretty big deal” because it showed that the App Store could be compromised if hackers infected machines of software developers writing legitimate apps. Other attackers may copy that approach, which is hard to defend against, he said.
“Developers are now a huge target,” he said.
Researchers said infected apps included Tencent Holdings Ltd’s popular mobile chat app WeChat, car-hailing app Didi Kuaidi and a music app from Internet portal NetEase Inc.
The tainted version of Xcode was downloaded from a server in China that developers may have used because it allowed for faster downloads than using Apple’s U.S. servers, Olson said.
Chinese security firm Qihoo360 Technology Co said on its blog that it had uncovered 344 apps tainted with XcodeGhost.
Apple declined to say how many apps it had uncovered.
The New York Times’ Katie Benner described what Apple is doing to fix the problem:
The fake developer code “was posted by untrusted sources,” said Christine Monaghan, an Apple spokeswoman. “To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software.”
It was unclear on Sunday how many people had downloaded the apps based on the hacked developer tool. Security researchers at the giant Chinese e-commerce company Alibaba, Palo Alto Networks, the app makers and Apple are working to assess the damage, said Ryan Olson, who leads a threat research team Palo Alto Networks.
Chatter about modified versions of the developer code, called Xcode, started to surface last week on Weibo, China’s version of Twitter.
Researchers found that some copied versions of Xcode had been modified to embed malicious software into apps. As app makers checked to see whether their products had been infected, Apple and security researchers worked to find and get rid of the bad versions of Xcode, which were all on a cloud hosting service owned by the Chinese Internet company Baidu. Mr. Olson said Baidu has removed them.
In a statement posted to an official Tencent blog on Saturday, the company said that the flaw had been repaired and would not affect users who upgrade the WeChat app. “A preliminary investigation into the flaw has revealed that there has been no theft and leakage of users’ information or money, but the WeChat team will continue to closely monitor the situation,” it said.
Apple said on Sunday that it was working with developers to make sure they were using the proper version of Xcode, the tool used to create the apps.
Scott Cendrowski of Fortune laid out how China’s Internet controls played a role in the hack:
China’s so-called Great Firewall, which keeps users inside the country from accessing Facebook, the New York Times, and other sites banned because they pose some threat, direct or indirect, to the ruling Communist Party, might be at least partly to blame for a hack that infiltrated the usually secure Apple App store in China.
Hackers targeted the software that developers use to create apps for Apple’s App store. In China, access to foreign websites can be spotty and slow. The hackers advertised a faster download for Apple’s development tool kit called Xcode that instead of being hosted on Apple’s official servers was on Baidu Inc.’s cloud service, which is widely used in the country and hosts very fast downloads.
The malicious version of the tool kit then compromised some of the most popular Apps in China including Tencent Holdings Ltd’s WeChat, Tencent-baked Didi Dache, and a streaming music service from Netease and a train ticketing site.
“This is a significant compromise of Apple’s app store. Apple notoriously manually reviews all app submissions and, in comparison to Android stores, has been relatively malware-free. This is the most widespread and significant spread of malware in the history of the Apple app store, anywhere in the world,” said Greatfire.org, an activist site tracking China’s Internet firewall.
“Xcode is usually obtained directly from Apple’s Mac App Store, but because large cross-border downloads can be slow and unreliable in China, in large part because of the government’s Internet controls, many users there turn to potentially unsafe unofficial sources,” the China Digital times concluded.
