Protecting Our Customers from XcodeGhost

Background on XcodeGhost

XcodeGhost is reported to be the first instance of the iOS App Store distributing a large number of trojanized apps. The malicious apps steal device and user information and send stolen data to a command and control (CnC) server. These apps also accept remote commands including the ability to open URLs sent by the CnC server. These URLs can be phishing webpages for stealing credentials, or a link to an enterprise-signed malicious app that can be installed on non-jailbroken devices.

With the large amount of press XcodeGhost has received, we wanted to let our customers know that they are protected from this threat across their mobile devices and networks.

FireEye Protection

Immediately after learning of XcodeGhost, FireEye Labs identified more than 4,000 infected apps on the App Store. FireEye has since updated detection rules in its NX and Mobile Threat Prevention (MTP) products to detect the malicious apps and their activity on a network.

FireEye NX customers are alerted if an employee uses an infected app while the iOS device is connected to the corporate network. It’s important to note that, although the CnC servers have been taken down, the malicious apps still try to connect to them using HTTP. This HTTP session is vulnerable to hijacking by other attackers.

FireEye MTP management customers have full visibility when a mobile device is infected in their deployment base. End users receive on-device notifications of malware detection and IT administrators receive email alerts of the infection.

Further Advice

We advise all organizations to notify their employees of the threat of XcodeGhost and other malicious iOS apps. They should make sure that they update all apps to the latest version.

For FireEye MTP customers, we recommend immediately reviewing MTP alerts, locating infected devices/users, and quarantining the devices until the infected apps are removed. FireEye NX customers are advised to immediately review alert logs for activity related to XcodeGhost communications.

FireEye customers can find more information on impacted apps in the FireEye Intelligence Center.

Click here to learn more about the FireEye Intelligence Center.