A new iOS malware called XcodeGhost, which has infected thousands of iOS apps including WeChat, was revealed by Chinese developers in mid-September. Palo Alto Networks conducted an in-depth investigation and revealed more details on the incident.
XcodeGhost is a malicious version of Xcode (Apple's suite of software development tools) distributed among Chinese iOS developers who unknowingly build the code into compiling their apps and distributed it through Apple's App Store.
Once the infected apps were installed on iOS devices, the malware collected information about the devices and uploaded the data to the attacker's server. The attacker could also read and write data in a user's clipboard, as well as control the apps to phish for users’ credentials, including passwords. It is estimated that XcodeGhost has potentially affected hundreds of millions of users, since WeChat, one of the most popular messaging apps in mainland China, was one of the infected apps.
The XcodeGhost malware is allegedly made by a group of people, and one of the key suspects is a graduate of Shandong University of Science and Technology. The suspect claimed that the malware was an experiment, yet Chinese programmers counter-argued that it was an organized act to undermine the reputation of iOS as the code was uploaded to a number of code sharing platforms. Meanwhile, Apple has removed the infected apps from the store.
What caused this security breach? If the infected apps had been flagged for malware in Apple's code review process, they would not have been distributed to the users in the first place. But the gatekeeper also raised a question in its FAQs on XcodeGhost:
Why would a developer put customers at risk by downloading counterfeit software?
Sometimes developers search for our tools on other, non-Apple sites in an effort to find faster downloads of developer tools.
Twitter user Larry Salibra explained that Chinese Internet censorship, i.e the Great Firewall that blocks access to overseas websites, is to blame for the slow connection speeds that push Chinese developers to get Apple's Xcode from other code-sharing platforms:
— Larry Salibra (@larrysalibra) September 24, 2015
Prominent Chinese tech-blogger Huo Ju agreed with such a view and further explained the situation in China:
The incident's impact is pervasive because downloading Xcode from Apple official site takes too long. It takes more than 10 hours and sometimes more than a few dozen hours to get the download as the connection can be cut and you have to do it all over again. It is of course wrong to download Xcode from other sites in China, but it is understandable. Just imagine if the Internet speed is about 50K, while the domestic network is 10MB, of course people would download from the domestic network.
Huo Ju further explained the impact of the Great Firewall on Internet security:
GFW has turned the open Internet into a domestic network or the so-called China regional network. Apart from restrictions on Internet speed, [Internet users in China] also suffer from DNS poisoning and interference coming directly from ISPs. You can't even trust the DNS that they refer to you. Furthermore, very often, the content providers would insert ads through http requests, resulting in very poor performance of the network. All these conditions are evolving everyday, today you know how to deal with the situation, next week you have to find another solution. You have to devote a lot of energy to maintaining a trustworthy software environment, and very few people are willing to pay such a cost.
The blogger then addressed the issue of trust in the Chinese Internet business:
In such an environment, what can we trust? We can't trust the Internet connection. We can't trust the Internet operators. We can't trust the DNS and big Internet companies. […] In China if you trust Baidu, you will face a huge problem. If you look up a moving service company through Baidu search engine, you will be cheated. If you look up a delivery service company through Baidu, you will be cheated. If you look up a hospital through Baidu, guess what. You are doomed to die. If you trust Baidu's software, you will have more fun. It will install a whole set of Baidu software in your computer. People call such uninvited presents a “Baidu family bucket.” These kinds of companies that work so hard to harm their customers could not be found elsewhere except China.
The spread of iOS malware, however, indicates that the security and trust problems have extended from China's domestic network to the open Internet outside China through foreign companies which are considered to be more trustworthy.
As some tech bloggers have pointed out, Apple would have noticed the problem of extremely slow download speeds in China if they had monitored and addressed the issue reflected in the geographical distribution of the Xcode download numbers. Furthermore, the Apple AppStore has made it technically impossible to run a malware detection app that monitors other applications.
While Apple has a review system in place and iOS device users can still download from the official AppStore, the problem of malware in Android devices is even more severe as the Google play store has been disrupted for years and blocked in China since May 2014.
The incident is a wake up call for foreign Internet companies which want to have a market share in a country like China, where Internet insecurity has become a norm because of domestic policy. If they want to remain trustworthy in the eyes of their customers, they have to develop a policy and a system to address the distinctive security environment in their domestic network.