Skip to main content

A modified version of XcodeGhost remains a threat as compromised apps found in 210 enterprises


Security firm FireEye said in a blog post that XcodeGhost – a fake version of Xcode that injected malware into genuine apps – remains a threat. FireEye has identified a more advanced version of the compromised app development tool, XcodeGhost S, which has been designed to infect iOS 9 apps and allow compromised apps to escape detection by Apple.

XcodeGhost is planted in different versions of Xcode, including Xcode 7 (released for iOS 9 development). In the latest version, which we call XcodeGhost S, features have been added to infect iOS 9 and bypass static detection.

We have worked with Apple to have all XcodeGhost and XcodeGhost samples we have detected removed from the App Store.

The company said that by monitoring its customers’ networks, it identified 210 enterprises with infected apps running inside their networks – a third of them in the USA – generating 28,000 attempts to connect to the XcodeGhost Command and Control (CnC) servers … 

It notes that the servers are not currently under control by those behind XcodeGhost, but they are potentially vulnerable to hijacking attempts. Some enterprises have modified their domain name servers to block traffic to the CnC servers, but this does not necessarily protect devices when used outside the corporate networks.

The blog entry describes how XcodeGhost was able to circumvent the protection Apple introduced in iOS 9.

Apple introduced the “NSAppTransportSecurity” approach for iOS 9 to improve client-server connection security. By default, only secure connections (https with specific ciphers) are allowed on iOS 9. Due to this limitation, previous versions of XcodeGhost would fail to connect with the CnC server by using http. However, Apple also allows developers to add exceptions (“NSAllowsArbitraryLoads”) in the app’s Info.plist to allow http connection. The XcodeGhost S sample reads the setting of “NSAllowsArbitraryLoads” under the “NSAppTransportSecurity” entry in the app’s Info.plist and picks different CnC servers (http/https) based on this setting.

Earlier this year, a separate vulnerability was discovered that left some apps at risk when attempting to establish secure connections to servers.

Via PCWorld. Image ABC News.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel


  1. tonywmd23 - 7 years ago

    I genuinely don’t understand how Xcode ghost affects the US app store. Chinese developers opted for Xcode downloaded from third party websites (which has been switched to Xcode ghost) because it takes too much time to download the real Xcode from apple server. US developers don’t have this problem! ALL of them should’ve used legit Xcode versions direct from apple.

    • If a chinese developer releases an app for worldwide distribution?

      • tonywmd23 - 7 years ago

        Yeah but last time Angry Birds 2 was also on the affected list. How did that happen?! Don’t think Angry Birds 2 was coded by Chinese developers…

  2. So this is what, the 5th high profile Apple hacking in what, 3 months? And Android hasn’t even had one real hacking yet. Just proof of concept nonsense.

    • rafalb177 - 7 years ago

      Whole Android is one big hack.

    • tonywmd23 - 7 years ago

      I don’t know which affects regular users more, a “high profile” hacking that might or might not actually do anything to make our lives worse, or constant day-to-day malware annoyance and safety concerns of an open platform. iOS users can tap on a sketchy link or attachment by mistake without compromising safety when using, say, a third-party messaging app. Can android users say the same thing?

  3. standardpull - 7 years ago

    No good developer has this issue, as no good developer would ever use unsigned tools on a computer used to produce apps.

    • airmanchairman - 7 years ago

      All it takes is a profit-mad corporation seeking to cut costs to the bleeding edge and hire development resource as cheaply as possible with scant regard to reputation or CV, a habit of many a traditional bean counter.

      It parallels the infection of consumer networks by the allure of free or dirt cheap software and tools.


Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear