Extracting personal information Applications that are known to have been infected with "XcodeGhost" malware and distributed on the App Store are

ByCiro Urdaneta

Malware extracting personal information "XcodeGhostMany iOS apps infected with "It was published on the App Store, and it turned out that general users could install it. There are over 300 infected apps, and security vendorsLookoutYaPalo Alto NetworksWe are publishing a list of applications that are said to have been infected.

XcodeGhost iOS malware: The list of affected apps and what you should have do | Lookout Blog
https://blog.lookout.com/blog/2015/09/21/xcodeghost-apps/

Malware XcodeGhost Infects 39 iOS Apps, Including WeChat, Affecting Hundreds of Millions of Users - Palo Alto Networks BlogPalo Alto Networks Blog
http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/

◆ What is Malware "XcodeGhost"?
Extracting personal information XcodeGhost is an application development environment of Apple's iOS application development environmentXcodeIt is malware created by tampering with. There is no problem with Xcode provided by Apple, but it is thought that Xcode which is illegally released on Chinese mirror server is often tampered with. In China where the communication environment is not well developed, it is difficult to download Xcode with 4 GB file capacity from overseas regular server, so it is often downloaded from an illegitimate mirror server located in China There is a unique circumstance like that.

According to Palo Alto Networks, when an application made by XcodeGhost is executed, the current time, infected application name, application identification ID, name given to iPhone, UUID, language used and sentence, network type It collects, encrypts and sends it to the server specified by the application side.

Although Apple has stopped publishing infected applications on the App Store, specific application names are not disclosed at the time of article creation. In such a case, the names of the applications published by Lookout and Palo Alto Networks are as follows.

The list of applications published by Lookout is as follows. Many are applications for China, but business card management applications that are also used in JapanCamCardYaCamScanner, Of the chat applicationWeChatAnd of the gameAngry Bird 2Be careful also that it includes such as.

· 10000+ Wallpapers for iOS 8, iOS 7, iPhone, iPod and iPad
· CamCard Business
· CamScanner Pro
· CamScanner + | PDF Document Scanner and OCR
· CamScanner Free | PDF Document Scanner and OCR
· LifeSmart
· OPlayer HD Lite
· WeChat
· WinZip - The leading zip unzip and cloud file management tool
· Mr. Yoshitaka FM (Podcasts) 童 童 事事 评论 検 索 nt 票 Charlotte
· Hot cot heat point
· Freedoman - True · 5 V 5 (First MOBA Hand)
· China 联通 手机 业务 餐 (Official version)
· 网易 云 音乐 - good monkey, electronic FM song under ix
· Netease Public Prosecutors - Education 视频 平台, 名 名 school name marriage section, TED lecture, 紀要 冊 片
· Open your eyes - Fighting sighting slow guessing, Torton Large opening world
· Ridiculous Little Bird 2 - Lee Young Peak Yuen Wah(Angry Bird 2)
Aichi
· Telephone number 归 归 area assistant

Palo Alto Networks has released the following applications.

· 51 Kiko Boxes 5.0.1
· Air2
· AmHexinForPad
· Baba
· BiaoQingBao
· CamCard v6.5.1
· CamScanner
· CamScanner Lite
· CamScanner Pro
· China Unicom 3.x
· CSMBP-AppStore
· CuteCUT
· Data Monitor
· FlappyCircle
· Golfsense
· Golfsensehd
· Guaji_gangtai en
· Guitar Master
· IHexin
· Immtdchs
· InstaFollower
· Installer
· IOBD 2
· IVMS-4500
· Jin
· Lifesmart 1.0.44
· MobileTicket
· MoreLikers 2
· MSL 070
· MSL 108
· Musical.ly
· Nice dev
· OPlayer
· OPlayer Lite
· OPlayer 2.1.05
· PDFReader
· PDFReader Free
· Perfect 365
· PocketScanner
· Quick Save
· QYER
· SaveSnap
· SegmentFault 2.8
Snapgrab copy
· SuperJewelsQuest 2
Ting
· TinyDeal.com
· Wallpapers 10000
· WeChat
· WeLoop
· WhiteTile
· WinZip
· WinZip Sector
· WinZip Standard
· Lower kitchen
· Lower kitchen 4.3.2
· I'm MT 2 1.10.5
· We Shoot MT 5.0.1
· Quick Interviewer 7.73
· Yoshitaka Kima 4.3.8
· Hot cot heat point
· Mouth bag 账账 1.6.0
· Takadoku 图
· Freedomann 1.1.0
· New three plates
· China 联通 手机 业务 3.2
· Chunbun Bank Railroad Space 3.3.12
· Droplet Dryer
· Droplet departure 4.0.0.6 - 4.0.0.0
· Drip drivers 3.9.7.1 - 3.9.7
· Bean cheeks
· Same flower order
· Same flower order 9.60.01
· Minor inquiries 6.2.5
· Micromachine
· Mr. and Mrs. Floor Advance 1.2
· Ceremonial assistant
· Fried toe opening
· 网易 云 音乐
· 网易 云音 乐 2.8.3
· Netease Public Proceedings 4.2.8
· Open eyes 1.8.0
愤怒 的 小鳥 2 2.1.1
· Bunshin perioda end
Aichi
· Telephone anchorage assistant 3.6.5
· Yu Yu 6.6.6
· 简体 書 2.9.1
· Supply power 1.12.1
· Importing method of imported goods 5.1.1463
铁路 12306 4.5
· 馬拉 马拉 1.1.0

Apple has already deleted applications infected with malware from the App Store. Although the specific application name does not seem to be clarified, it is reported that more than 300 kinds of applications are stopped publishing.

Apple removes malicious programs after first major attack on app store | Technology | The Guardian


In addition, the correspondence of the application side is of course in a mixed state, and there is a situation in which patch correction from corresponded to non-compliant one is mixed by update. If the application included in the above list is installed, it may be better to refrain from using it if urgent is not required or uninstall it if it is not necessary. Also, since the correspondence for each application is updated in the following Lookout page etc., it is good to check periodically. At the time of writing, the application such as "Life Smart", "10000+ Wallpapers for iOS 8, iOS 7, iPhone, iPod and iPad" and "Angry Bird 2" was described as "Still malicious".

XcodeGhost iOS malware: The list of affected apps and what you should have do | Lookout Blog


◆ 2015/09/24 18:25 Addendum
Among the CAMCARDs in which infections are reported, the application distributed on the Japanese App Store is different from the application "CamCard v6.5.1", which has been infected with malware, so that the use of the product will not be affected about.

Hi@ CamCardIntSigI just verified CN version 6.5.1 CamCard was infected by XcodeGhost but US version 5.5.2 CamCard was not cause it's older.

- Claud Xiao (@ claud _ xiao)2015, September 22

Also, regarding "CAMCARD BUSINESS" for corporations, because the application already modified has been released on the App Store, the corresponding user is being informed of the latest update.

Report to CAMCARD BUSINESS XcodeGhost - [Business card management application] Accelerate business with CAMCARD BUSINESS
https://www.camcard.jp/business/information/0923/

◆ 2015/09/25 11:45 Additional note
On Apple's website in China, a description of this subject and some of the affected apps were posted. All infected applications are already deleted from the App Store, and those on which the release has been resumed are said to be safe verified versions. It is said that even those that have not been republished will be released soon.

Independent XcodeGhost problem solving answer - Apple (China)