Apple has named the top 25 apps infected by the XcodeGhost malware, stating that “the number of impacted users drops significantly” for other compromised apps. Most security researchers now agree that the total number of infected apps is in or around four figures, with many of them still present in China’s App Store …
Expand
Expanding
Close
Apple is to make Xcode available for local download from servers based in China as part of its response to the XcodeGhost malware issue. The announcement was made on the Chinese social media site Sina by Phil Schiller, Apple’s senior VP of worldwide marketing (via CNET). It’s believed that many Chinese developers inadvertently downloaded the fake version because the official download was taking too long.
“In the US it only needs 25 minutes to download,” Schiller told Sina, admitting that in China getting Xcode “may take three times as long.” He told the Chinese publication that, to quell this problem, Apple would be providing an official source for developers in the People’s Republic to download Xcode domestically.
Analysis of infected apps by security researchers appears to be revealing a mix of good and bad news …
Expand
Expanding
Close
App analytics company SourceDNA – whose clients include Google, Amazon and Dropbox – claims that the compromised versions of many apps remain live in the Chinese App Store. This includes CamCard, which is a very popular app ranked #94.
The apps were infected with malware by a fake version of Xcode dubbed XcodeGhost which legitimate developers were fooled into downloading, believing it to be a copy of the genuine Apple app. A partial list of infected apps has been posted by security company Palo Alto Networks …
Expand
Expanding
Close
Update 1: The list of apps has now been updated with apps identified by Dutch security company Fox-IT. The company is reporting seeing malware traffic from the apps in Europe.
Update 2: Rovio has advised that only the version of Angry Birds 2 in the Chinese App Store was affected.
I wish to clarify that Rovio can confirm that only the Chinese build of Angry Birds 2 — available only on the App Store in Mainland China, Taiwan, Hong Kong and Macau — is vulnerable to the security issue. All other builds of Angry Birds 2 available in other countries are completely safe and secure. An update of Angry Birds 2 for customers in Mainland China, Taiwan, Hong Kong and Macau that fixes the issue is coming very shortly.
After yesterday’s revelation that hundreds of iOS apps on the App Store had been infected by malware, security company Palo Alto Networks has posted a list of some of the affected apps – which include Angry Birds 2.
The apps were infected by a fake copy of Xcode dubbed XcodeGhost, unwittingly downloaded by Chinese developers in place of the real thing. It’s believed they downloaded the fake from local servers because it took too long to download the original from Apple’s own servers. It’s not yet known why Apple’s own checks did not detect the malware when apps were submitted to the App Store.
It’s been suggested that over 300 apps are infected, with 31 of them so far identified (list below) …
Expand
Expanding
Close
Researchers from Palo Alto Networks have discovered that a piece of iOS malware successfully stole more than 225,000 Apple IDs and passwords from jailbroken phones, using them to make purchases from the official App Store. The malware, dubbed KeyRaider, also has the ability to remotely lock jailbroken iOS devices in order to hold them to ransom.
These two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by users. The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.
However, it’s extremely unlikely that you’re at risk: the malware can only run on jailbroken devices, and appears to spread through only one set of Cydia repositories, run by Weiphone.
The malware was used in two tweaks that allow those running them to download paid apps and make in-app purchases from Apple’s official App Store without payment. The tweaks used the stolen credentials to make the purchases.
If you think your iPhone or iPad may be at risk, Palo Alto Networks has provided the following instructions to detect and remove the malware. Further details over at the company’s lengthy blog entry.
Users can use the following method to determine by themselves whether their iOS devices was infected:
- Install openssh server through Cydia
- Connect to the device through SSH
- Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory:
- wushidou
- gotoip4
- bamu
- getHanzi
If any dylib file contains any one of these strings, we urge users to delete it and delete the plist file with the same filename, then reboot the device.
We also suggest all affected users change their Apple account password after removing the malware, and enable two-factor verifications for Apple IDs.
The company also notes that not jailbreaking iOS devices is the only way to protect against such exploitation.
Via Re/code
Back in May of last year, Google started enforcing a policy that requires Chrome extensions be hosted on its Chrome Web Store, but only on Windows. The goal was to prevent malware hidden in extensions installable from outside its store, and it even started disabling extensions already installed on users’ systems that weren’t hosted on the Chrome Web Store. Now, Google says it will bring that requirement to Mac Chrome users over the coming months, as well as the Chrome developer channel for Windows that wasn’t previously enforcing the policy:
Expand
Expanding
Close
Anonymous developers who have successfully infected Nvidia GPU cards with malware on both Linux and Windows machines say that the same can be done on Macs, and that they will release the proof soon. The aim of the whitehat developers is to raise awareness of this new method of attack, reports IT World.
The team successfully created a piece of malware called WIN_JELLY which acts as a Remote Access Tool, enabling attackers to control a machine over the Internet. They now plan to release a version for OS X called MAC_JELLY, demonstrating that Macs too are vulnerable.
There are, they say, two core problems. First, the growing power of modern GPUs means that it is increasingly common for processing tasks to be passed to them, something that would look legitimate to the OS. Second, most security tools designed to detect malware don’t scan the RAM used by the GPU.
The developers hint that the Mac version of the exploit will use OpenCL, a framework for writing code that can run on multiple platforms – including GPUs – and which is installed as standard as part of OS X.
While Mac and iOS malware is rare, neither platform is immune from attack. Wirelurker was last year found to be capable of infecting non-jailbroken iOS devices when connected to Macs running compromised software, and Flashback infected hundreds of thousands of Macs back in 2012.
Apple recently pulled many antivirus apps from the iOS app store, though this may be because many of them performed no useful function.
Via Slashdot
Searching for ‘antivirus’ now only shows games or Find My iPhone-esque apps.
Apple has seemingly decided to crack down on antivirus and antimalware apps, removing them from the App Store. Although there has been no official statement from Apple on a policy change, Apple’s loose guidelines allow them to pull pretty much anything at any time, particularly something like antivirus which has questionable utility within the sandboxed iOS environment of iPhones and iPads.
One casualty of the removal is Intego’s VirusBarrier, which claims that this takedown was not specific to its product with Apple deciding the entire category of antivirus products is now off-limits.
From 9to5Toys.com:
We’ve got a nice 9to5Toys Specials deal on this evening and the best part is that it is a name your own price with the bids starting at $1. The earlier you get in, the less you pay. Here’s the list of apps but frankly Typinator alone is worth it. Go big and 10% of your purchase price goes to a charity of your choice and you’ll be entered to win a Gold iPad 2 & iPhone 6
(Update:6:30am ET: the price is now $3.50)
Update: Apple confirmed the security issue in a statement provided to iMore. Apple has also revoked the certificate to prevent the apps from being installed on new devices.
The New York Times reports that a security firm called Palo Alto Networks has uncovered a new form of Apple-focused malware that is capable of infecting non-jailbroken iOS devices. Typically when such software pops up, as it does from time to time, one of the key factors that allows the malicious code to run on iOS is whether the device is jailbroken. The new “WireLurker” malware, however, is installed on the mobile device over USB by an infected Mac.
These infected Mac apps are reportedly coming from the Maiyadi App Store, a third-party software storefront operated in China. Palo Alto Networks says over 400 apps in the store are affected, and have been downloaded over 356,000 times total, potentially resulting in hundreds of thousands of infected devices.
Mac users should beware of some new malware spreading, that tries to connect infected machines with a botnet for future exploitation. As detected by Dr Web, the malicious worm (dubbed Mac.BackDoor.iWorm) first checks whether any interfering applications are installed on the Mac.
If it is clear, it calls out to Reddit posts to find the IP addresses of possible servers to callback too. Although these posts have been deleted, it’s not hard for the people behind the exploit to repost them at a later time. Once connected to the botnet, the infected Mac can be literally instructed to perform almost any task the hackers want, such as redirect browsing traffic to potentially steal account credentials for instance.
![osx-app-screen[1]](http://viptest.9to5mac.com/wp-content/uploads/sites/6/2014/05/osx-app-screen1.png)
Google-owned VirusTotal today released a version of the VirusTotal uploader application (via The Next Web) compatible with Mac OS X. Previously the software was only available for Windows-based machines.
VirusTotal Uploader works in conjunction with the VirusTotal web service to check files and links for malware. Google hopes that the release of the software for the Mac will help users more easily detect attacks on Apple’s platform. From the VirusTotal blog:
Security researcher Stefan Esser (via ArsTechnica) has discovered that an issue reported on Reddit as causing crashes on jailbroken iPhones and iPads is actually a piece of malware designed to capture Apple IDs and passwords from infected devices.
This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections. From these connections it tries to steal the device’s Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers.
Early indications are that the source of the malware is likely to have been from a tweak downloaded from somewhere outside of Cydia. Esser has identified that the code only runs on 32-bit devices, meaning that the iPhone 5s, iPad Air and iPad mini with Retina display are safe, while other devices are vulnerable.
The blog post says that the malware is easy to check for, but may not be easy to remove. Using SSH/Terminal, check the path /Library/MobileSubstrate/DynamicLibraries/ for the presence of either Unflod.dylib or framework.dylib.
Currently the jailbreak community believes that deleting the Unflod.dylib/framework.dylib binary and changing the apple-id’s password afterwards is enough to recover from this attack. However it is still unknown how the dynamic library ends up on the device in the first place and therefore it is also unknown if it comes with additional malware gifts.
We therefore believe that the only safe way of removal is a full restore, which means the removal and loss of the jailbreak.
Cydia developer Jay Freeman, aka Saurik, pointed out on Reddit that adding random download URLs to Cydia is as risky as opening attachments received in spam emails.
Like he has done before, Apple’s Senior Vice President of Marketing Phil Schiller has taken to his Twitter account to share a new report highlighting a much higher amount of security threats on Android compared to iOS. Schiller linked to Cisco’s 2014 annual security report covering mobile malware trends over the last year, which happens to highlight a rise in malware on Android as one of its key takeaways:
Ninety-nine percent of all mobile malware in 2013 targeted Android devices. Not all mobile malware is designed to target specific devices, however… Many encounters involve phishing, likejacking, or other social engineering ruses, or forcible redirects to websites other than expected. An analysis of user agents by Cisco TRAC/SIO reveals that Android users, at 71 percent, have the highest encounter rates with all forms of web-delivered malware
That 71% encounter rate for web-delivered malware on Android mentioned above compares to just 14 percent for iPhone users, according to the report. The report’s finding that 99 percent of all mobile malware last year targeted Android marks an increase for Android when comparing to the last report Schiller shared. In March of last year, Schiller shared a report from security firm F-Secure that estimated Android had around 79% of all mobile malware for 2012 compared to just 0.7 percent for iOS.
Expand
Expanding
Close
Researchers from the Georgia Institute of Technology managed to get a malicious app approved by Apple and included in the App Store by using a ‘Jekyll & Hyde’ approach, where the behaviour of a benign app was remotely changed after it had been approved and installed.
It appeared to be a harmless app that Apple reviewers accepted into the iOS app store. They were later able to update the app to carry out a variety of malicious actions without triggering any security alarms. The app, which the researchers titled “Jekyll,” worked by taking the binary code that had already been digitally signed by Apple and rearranging it in a way that gave it new and malicious behaviors …
Expand
Expanding
Close
TNW reported on a new trojan discovered by Russian website Doctor Web that installs adware on Macs running all three of most popular browsers: Safari, Firefox and Chrome. Doctor Web demonstrated that the Trojan.Yontoo.1 plugin can display ads on any site by showing it in action on Apple’s own website.
Many Mac owners still believe that OS X is immune to viruses and trojans. While it’s true the platform is well protected, a large part of the relative immunity enjoyed by Mac owners has simply been down to blackhat economics: when there were many more Windows machines around than Macs, it was less worthwhile for attackers to target Macs. As the popularity of Macs has grown, however, the platform has made an increasingly attractive target.
The trojan cannot install itself and instead relies on tricking users into downloading and installing it.
This particular trojan can get onto your Mac in multiple ways. Criminals have so far used movie trailer pages that prompt users to install a browser plugin, a media player, a video quality enhancement program, or a download accelerator. In other words, the usual schemes we’ve seen on Windows.
Once installed, the plugin sends details of the webpages you visit back to a server controlled by the bad guys and uses that info to insert relevant ads. The Apple example above shows just how slickly this can be done. On a less-familiar site, a visitor could easily see the ad as part of the site.
As ever, the advice here is to only ever download known plugins from the official sites. Never accept an invitation to download anything from a website unless you know it to be a site you can trust. We’d be surprised if many 9to5Mac readers fell victim to this, but if you have family members using your Mac who might not be as careful, Intego VirusBarrier has updated its definitions to include it.
Following an attack on a smaller number of corporate Macs that exploited a flaw in the Java browser plug-in, researchers from security firm FireEye warned users of yet another new Java zero-day vulnerability. According to a blog post published yesterday (via IDG), browsers running Java v1.6 Update 41 and Java v1.7 Update 15 are now vulnerable to a malware attack that installs a remote access tool known as McRAT. The exploit is reportedly different from the one used to attack Facebook, Twitter, Apple, and several other companies last month. Following the earlier attack, Apple released an update to Java for users to version 1.6.0_41. These recent vulnerabilities come after several updates over the last year to Java addressing exploits.
FireEye recommended users disable Java until Oracle addresses the issue:
We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery. Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to “High” and do not execute any unknown Java applets outside of your organization.
Oracle provided the instructions below for uninstalling Java on Mac:
Expand
Expanding
Close
.
As noted by ArsTechnica, Adobe just released an unscheduled patch to address two vulnerabilities that could be the source of malware attacks on both OS X and Windows. Apple has also issued a KB urging users to update. According to the advisory posted by Adobe, the attacks targeted Firefox or Safari users on Mac:
Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.
The update is available through Adobe’s website here.
MacRumors noted today that Apple is utilizing the automatic daily checks for malware definitions it implemented last year to block an OS X trojan horse discovered earlier this week. The trojan was originally detailed in a blog post on Dr. Web. Known as “TrojanSMSSend.3666”, Apple has now updated its “Xprotect.plist” blacklist to allow OS X to detect and alert the user if downloaded:
Apple has moved quickly to address the threat, adding definitions for the malware to its “Xprotect.plist” blacklist, which is part of the basic anti-malware tools Apple launched with OS X Snow Leopard in 2009. In its original incarnation, users were required to update definitions manually, but as malware threats against OS X grew, Apple last year instituted automatic daily checks to keep users’ systems updated.
We told you yesterday about the Trojan named “Crisis“, also being referred to as “OSX/Morcut-A”, discovered for OS X, but it is considered low risk for users. Today, we get some more details about the trojan with security company Sophos explaining the Morcut Malware features code for controlling the following:
The malware appears to have been specifically created with spying on the user as its goal. There have not been any reported cases of infected users, though, so the threat is still considered low risk.
While Apple has released updates for both Lion and Snow Leopard to remove the Flashback malware that is making the rounds, the company had not released a fix for Leopard until today. Apple released a Flashback Removal Security Update for Leopard this afternoon that weighs 1.23MB. Along with removing the Flashback malware, it also disables the Java plug-in in Safari. Apple described the update:
This update removes the most common variants of the Flashback malware. If the Flashback malware is found, a dialog will notify you that malware was removed. In some cases, the update may need to restart your computer in order to completely remove the Flashback malware…To improve the security of your Mac, this update also disables the Java plug-in in Safari.
Apple also released Security Update 2012-003 for Leopard that “disables versions of Adobe Flash Player that do not include the latest security updates and provides the option to get the current version from Adobe’s website.” A similar update was issued for Lion and Snow Leopard in Safari 5.1.7, which released with OS X 10.7.4 late last week—hit up Software Update.
This is the first major update Apple has released for Leopard since Lion debuted last July. Unlike Adobe, it looks like Apple is devoted to keep its old products up-to-date—even if the update is a few weeks behind. For those of you unaware, Adobe recently told users to upgrade from CS5 to CS6 to avoid a security flaw in older versions of software, instead of just patching it. However, Adobe quickly backed down after receiving a ton of backlash from the community and promised an update in the coming weeks. Still sketchy.
When Apple confirmed in 2010 that it would no longer support Java for OS X, it also announced shortly after an agreement with Oracle to include OS X support in future versions of its OpenJDK Project to provide Java SE 7 implementation on Macs. Over a year later, Oracle has now released Java SE 7 Update 4 and JavaFX 2.1 with the first JDK to land with OS X support (via MacRumors):
This release marks Oracle’s first delivery of both the Java Development Kit (JDK) and JavaFX Software Development Kit (SDK) for Mac OS X.
– Java developers can now download Oracle’s JDK, which includes the JavaFX SDK, for Mac OS X from the Oracle Technology Network (OTN).
– Oracle plans to release a consumer version of Java SE 7, including the Java Runtime Environment (JRE) for Mac OS X later in 2012.
Following the original announcement in 2010, Apple’s late CEO Steve Jobs explained that his company’s practice of shipping a version of Java behind Oracle as possibly “not be the best way to do it.” Of course, Apple has patched several vulnerabilities in Java in recent weeks that have lead to an outbreak of malware on Macs. That vulnerability was patched by Oracle in February, months before OS X users received it.
The last time security researchers at Kaspersky checked the state of Macs infected with the Flashback malware outbreak, it estimated roughly 140,000 were still infected. At the recent Info Security Europe 2012 conference, CBR quoted CEO and co-founder Eugene Kaspersky as claiming Apple is 10 years behind Microsoft when it comes to security:
“I think they are ten years behind Microsoft in terms of security,” Kaspersky told CBR. “For many years I’ve been saying that from a security point of view there is no big difference between Mac and Windows. It’s always been possible to develop Mac malware, but this one was a bit different. For example it was asking questions about being installed on the system and, using vulnerabilities, it was able to get to the user mode without any alarms….
Cyber criminals have now recognised that Mac is an interesting area. Now we have more, it’s not just Flashback or Flashfake. Welcome to Microsoft’s world, Mac. It’s full of malware….Apple is now entering the same world as Microsoft has been in for more than 10 years: updates, security patches and so on,” he added. “We now expect to see more and more because cyber criminals learn from success and this was the first successful one…. They will understand very soon that they have the same problems Microsoft had ten or 12 years ago”
As of yesterday, security company Symantec released a statement claiming there were still 140,000 Macs infected from the recent Flashback malware outbreak that originally infected an estimated 600,000 Mac users. That was despite Apple issuing a Java security update to remove the malware. Today, security researchers from Kaspersky said during a press conference (via Ars Technica) that it estimated infections dropped to 30,000, while still warning more “mass-malware” on OS X is on the way:
“Market share brings attacker motivation… Expect more drive-by downloads, more Mac OS X mass-malware. Expect cross-platform exploit kits with Mac-specific exploits.”
Kaspersky also clarified that much of the Flashback infections were spread through trusted WordPress websites that have been hijacked rather than through malicious downloaded files as many assume. Ars explained:
Expand
Expanding
Close