Recently, Chinese iOS developers have discovered a new OS X and iOS malware that has appeared in malicious versions of Xcode, Apple’s official toolkit for developing iOS and OS X apps.

The hack of Apple’s Xcode involves infecting the compiler with malware and then passing that malware onto the compiled software.  This is a unique approach because the hack does not attempt to inject attack code into a single app, and then try and sneak that past Apple’s automated and human reviewers. Instead the malicious code is infected on Xcode itself, which is used by software developers to actually craft and develop the apps for iOS and OS X.

The primary behavior of XcodeGhost in infected iOS apps is to collect information on devices and upload that data to command and control (C2) servers. Once the malware has established a foothold on infected devices, it has the ability to phish user credentials via fake warning boxes, open specific urls in a device’s web browser, and even scrape the clipboard.

The current feature set of XcodeGhost is not necessarily what should alarm security experts. Instead, the primary concern should come from its ability to get past  Apple’s review process, which is typically know for its careful inspection of apps allowed to be published to its app store.

Since XCode is one of the main tools used to produce Apple software for both Apple PCs and iPhones, this could potentially impact millions of users. Currently, PaloAlto Networks has identified nearly 40 infected applications on the iOS (iPhone) platform alone. [1]

How AlienVault Helps

AlienVault Labs continues to perform cutting edge research on threats like these, collecting large amounts of data and then creating expert threat intelligence as a result.T he Labs team has already released IDS signatures and a correlation rule to the AlienVault Unified Security Management (USM) platform so customers can identify activity related to this exploit:

Exploitation & Installation, Trojan infection, XCodeGhost

For further investigation into XCodeGhost, visit the Open Threat Exchange (OTX) and see what research members of the community have done:

Learn more about AlienVault USM:
Download a free 30-day trial
Watch a demo on-demand
Play with USM in our product sandbox (no download required)

[1] Source:

[su_box title=”About AlienVault” style=”glass” box_color=”#6cc727″]AlienVaultAlienVault’s mission is to enable organizations with limited resources to accelerate and simplify their ability to detect and respond to the growing landscape of cyber threats. Our Unified Security Management (USM) platform provides all of the essential security controls required for complete security visibility, and is designed to enable any IT or security practitioner to benefit from results on day one. Powered by threat intelligence from AlienVault Labs and the AlienVault Open Threat Exchange—the world’s largest crowd-sourced threat data network — AlienVault USM delivers a unified, simple and affordable solution for threat detection, incident response and compliance management. AlienVault is a privately held company headquartered in Silicon Valley and backed by Trident Capital, Kleiner Perkins Caufield & Byers, Institutional Venture Partners, GGV Capital, Intel Capital, Jackson Square Ventures, Adara Venture Partners, Top Tier Capital and Correlation Ventures.

AlienVault, Open Threat Exchange and Unified Security Management are trademarks of AlienVault. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.

For more information visit[/su_box]

Notify of
0 Expert Comments
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x