Malware Outbreak in App Store Alerts Tech Companies to Security Risks of China's Great Firewall

Apple store in Beijing. Photo by Chinnian via Flickr (CC BY-SA 2.0)

Apple store in Beijing. Photo by Chinnian via Flickr (CC BY-SA 2.0)

A new iOS malware called XcodeGhost, which has infected thousands of iOS apps including WeChat, was revealed by Chinese developers in mid-September. Palo Alto Networks conducted an in-depth investigation and revealed more details on the incident.

XcodeGhost is a malicious version of Xcode (Apple's suite of software development tools) distributed among Chinese iOS developers who unknowingly build the code into compiling their apps and distributed it through Apple's App Store.

Once the infected apps were installed on iOS devices, the malware collected information about the devices and uploaded the data to the attacker's server. The attacker could also read and write data in a user's clipboard, as well as control the apps to phish for users’ credentials, including passwords. It is estimated that XcodeGhost has potentially affected hundreds of millions of users, since WeChat, one of the most popular messaging apps in mainland China, was one of the infected apps.

The XcodeGhost malware is allegedly made by a group of people, and one of the key suspects is a graduate of Shandong University of Science and Technology. The suspect claimed that the malware was an experiment, yet Chinese programmers counter-argued that it was an organized act to undermine the reputation of iOS as the code was uploaded to a number of code sharing platforms. Meanwhile, Apple has removed the infected apps from the store.

What caused this security breach? If the infected apps had been flagged for malware in Apple's code review process, they would not have been distributed to the users in the first place. But the gatekeeper also raised a question in its FAQs on XcodeGhost:

Why would a developer put customers at risk by downloading counterfeit software?
Sometimes developers search for our tools on other, non-Apple sites in an effort to find faster downloads of developer tools.

Twitter user Larry Salibra explained that Chinese Internet censorship, i.e the Great Firewall that blocks access to overseas websites, is to blame for the slow connection speeds that push Chinese developers to get Apple's Xcode from other code-sharing platforms:

Prominent Chinese tech-blogger Huo Ju agreed with such a view and further explained the situation in China:

这次的事件之所以影响巨大,就是因为通过苹果官方渠道升级Xcode速度太慢,少则10多个小时,多则几十个小时,其间还有可能中断和重新下载。从国内随便下载一个Xcode用当然是错的,但在这样的环境下也不是完全不能理解,考虑一下互联网的下载速度只有50K,企业内网速度能高达10M的时候,谁会不从内网下载呢?

The incident's impact is pervasive because downloading Xcode from Apple official site takes too long. It takes more than 10 hours and sometimes more than a few dozen hours to get the download as the connection can be cut and you have to do it all over again. It is of course wrong to download Xcode from other sites in China, but it is understandable. Just imagine if the Internet speed is about 50K, while the domestic network is 10MB, of course people would download from the domestic network.

Huo Ju further explained the impact of the Great Firewall on Internet security:

GFW让中国本来开放的互联网环境,变成了一个巨大的企业内网,或者叫做中国局域网。除了速度和难以访问的影响,各种各样的DNS投毒,电信运营商干扰也是严重问题,你拿回来的DNS结果往往也未必是可信的,而运营商试图在HTTP请求中插入广告的行为,又经常会导致正常的应用表现不正常,而这些乱七八糟的毛病还经常变化,今天你可以这样对付,下周可能就需要换一个办法。要维持一个可信的软件环境,需要付出巨大的精力,能愿意付出这个代价的人越来越少。

GFW has turned the open Internet into a domestic network or the so-called China regional network. Apart from restrictions on Internet speed, [Internet users in China] also suffer from DNS poisoning and interference coming directly from ISPs. You can't even trust the DNS that they refer to you. Furthermore, very often, the content providers would insert ads through http requests, resulting in very poor performance of the network. All these conditions are evolving everyday, today you know how to deal with the situation, next week you have to find another solution. You have to devote a lot of energy to maintaining a trustworthy software environment, and very few people are willing to pay such a cost.

The blogger then addressed the issue of trust in the Chinese Internet business:

在这个环境中,我们能信任的什么呢?网络链接不可信,运营商不可信,DNS不可信,大企业不可信。[…] 但在中国,如果你敢信任百度,基本意味着你生活各方面都会出问题,用百度查个搬家公司,骗死你没商量,用百度查个快递电话,骗死你也没商量,用百度查个医院,你猜会怎么样?那是真要骗死你没商量,这里的骗死都不再是比喻了。你要信任百度的软件,更好玩了,它莫名其妙就给你把百度出的所有软件都装在你机器上了,人们管这个不请自来的大礼叫做百度全家桶。如此致力于坑害自己用户的大公司,在中国之外还真是罕见。

In such an environment, what can we trust? We can't trust the Internet connection. We can't trust the Internet operators. We can't trust the DNS and big Internet companies. […] In China if you trust Baidu, you will face a huge problem. If you look up a moving service company through Baidu search engine, you will be cheated. If you look up a delivery service company through Baidu, you will be cheated. If you look up a hospital through Baidu, guess what. You are doomed to die. If you trust Baidu's software, you will have more fun. It will install a whole set of Baidu software in your computer. People call such uninvited presents a “Baidu family bucket.” These kinds of companies that work so hard to harm their customers could not be found elsewhere except China.

The spread of iOS malware, however, indicates that the security and trust problems have extended from China's domestic network to the open Internet outside China through foreign companies which are considered to be more trustworthy.

As some tech bloggers have pointed out, Apple would have noticed the problem of extremely slow download speeds in China if they had monitored and addressed the issue reflected in the geographical distribution of the Xcode download numbers. Furthermore, the Apple AppStore has made it technically impossible to run a malware detection app that monitors other applications.

While Apple has a review system in place and iOS device users can still download from the official AppStore, the problem of malware in Android devices is even more severe as the Google play store has been disrupted for years and blocked in China since May 2014.

The incident is a wake up call for foreign Internet companies which want to have a market share in a country like China, where Internet insecurity has become a norm because of domestic policy. If they want to remain trustworthy in the eyes of their customers, they have to develop a policy and a system to address the distinctive security environment in their domestic network.

Start the conversation

Authors, please log in »

Guidelines

  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.


Support our work defending online freedom of expression around the world.

justice+matters

Learn why our work is important »

Donate now

Close