XCodeGhost



  • This level of stupidity deserves its own place.

    Know what the whole deal with the latest iOS exploit is? Very simple.

    Some stupid Chinese developers, instead of downloading XCode from the official Apple site, decided to download it from an unsecure source (Dropbox or GDrive) which, of course, was hacked and injects malicious code on the built software. Now, you would think those are the Chinese developers of the usual crapware you can find in the App Store, but you'd be wrong. This "developers" are the ones behind some of the most popular apps in China like WeChat, CamCard or Didi Kuaidi.

    Now, you'd think this is limited to the Chinese because, well, Chinese labor. You are wrong again, because stupidity is not limited to those behind the Great Firewall. Here are some Chinese and non-Chinese iOS apps infected:

    LifeSmart
    OPlayerHD Lite
    WeChat
    WinZip
    10000+ Wallpapers for iOS
    Angry Birds 2 (china)
    Camcard Business
    CamScanner
    SegmentFault
    Mercury
    Musical.ly
    PDFReader
    Perfect365
    White Tile
    iHexin
    MoreLikers2
    MobileTicket
    iVMS-4500
    Qyer
    Golfsense
    MSL108
    ChinaUnicom2x
    tiny deal.com
    Snapgrab.copy
    iOBD2
    PocketScanner
    CuteCUT
    AmHexinForPad
    SuperJewelsQuest2
    air2
    InstaFollower
    CamScanner Pro
    baba
    WeLoop
    DataMonitor
    MSL070
    nice dev
    immtdchs
    OPlayer
    FlappyCircle
    BiaoQingBao
    SaveSnap
    Guitar Master
    jin
    WinZip Sector
    Quick Save
    Didi Chuxing
    Micro Channel
    Railway 12306
    The Kitchen
    Freedom Battle
    Marital bed
    NetEase

    Edit 1

    For how long has this been happening? No one knows, but it could be months.

    Now, is this Apple's fault? I don't think so. I mean, for as much as you can test the apps during the certification process, this probably happened with updates (which are not thoroughly tested as new ones) and from well known sources. So I understand Apple's employees confidence on the quality of those apps and not thinking: maybe this morons sent some infected shit.

    Edit 2

    This guys seem to maintain a good list: http://9to5mac.com/2015/09/21/xcodeghost-infected-apps/

    Rovio has advised that only the version of Angry Birds 2 in the Chinese App Store was affected.



  • So let me make sure I understand this: When I wrote an iOS app for my last company, Apple rejected it because we had a link in the main menu to our online help and getting started guides, which was somehow Not Cool™. But these guys can use a hacked XCode which generates malicious apps, and they make it through? :facepalm:


  • area_deu

    @Eldelshell said:

    WinZip

    LOLWHAT


  • :belt_onion:

    @Eldelshell said:

    WinZip

    That's a thing, still?

    @Eldelshell said:

    nice dev

    After this, many people might question that.

    @Eldelshell said:

    WinZip Sector

    Oh, more than one?

    Kinda relevant (money shot about 15 seconds in, timestamp set to where it is to keep some semblance of context):

    LGR - IBM PS/2 Computer Motherlode – [20:40..38:49] 38:49
    — Lazy Game Reviews

    Edit: beaten to the punch by @aliceif while looking for the timestamp! Grrr!



  • Well, that's a functional thing any 2¢ tester can see. A malware build, not that easy.



  • Yep:

    @Onyx said:

    That's a thing, still?

    Why I can't navigate a fucking web page without iTunes? Stupid Apple.


  • :belt_onion:

    Your link sends me to iTunes download page. For Windows. Well... that's nice.



  • Yeah, me too. You need another malware to navigate Apple's app store: iTunes.


  • area_deu

    That link tells me that this App is not available in Germany ... which probably means that your attempt would have been futile nonetheless.



  • So much for : walled garden, because Security !



  • Next step for Apple:

    "You send us your source code, we'll build it."



  • Even if they do, Microsoft is working on an Obj-C compiler that spits out Windows Store apps, iirc. So you could just ignore Apple if they do that.

    Though I'm sure you're joking. I mean, no one is that stupid.


  • Discourse touched me in a no-no place

    @Eldelshell said:

    Why I can't navigate a fucking web page without iTunes?

    It's the crApp Store…


  • sockdevs

    @Kian said:

    Next step for Apple:

    "You send us your source code, we'll build it."

    The fury if that happens will be colossal because a non-trivial chunk of what ends up in the store is not entirely built from source that the user can supply.

    Consider cases like Unity where the black box that is the UnityEngine is compiled in and you don't get the source code to that, so you can't just give Apple all the source code and let them build.


  • Discourse touched me in a no-no place

    @Arantor said:

    The fury if that happens will be colossal because a non-trivial chunk of what ends up in the store is not entirely built from source that the user can supply.

    Which means that Apple would stand firm on it. :smiley:


  • sockdevs

    Apple is stubborn but not stupid. There is quite an ecosystem out there that Apple doesn't want to piss off.

    Bear in mind: this would be the second time they tried it - http://www.alphr.com/news/357121/apple-bans-flash-from-iphone-and-ipad for example.



  • @Eldelshell said:

    Some stupid Chinese developers, instead of downloading XCode from the official Apple site, decided to download it from an unsecure source (Dropbox or GDrive) which, of course, was hacked and injects malicious code on the built software.

    ...wait, isn't XCode free?

    WTF were these people thinking?



  • @powerlord said:

    ...wait, isn't XCode free?

    WTF were these people thinking?

    Couldn't download it very quickly apparently.
    Apple are now providing local Chinese download sources for it.

    Chinese app developers have told Reuters they resorted to downloading the tainted software kit for developers from unofficial, third-party sources because of slow speeds downloading from Apple's official servers located overseas. Many complained the U.S. tech giant should do more to support developers in the company's second-biggest market.



  • @Magus said:

    Though I'm sure you're joking. I mean, no one is that stupid.

    I am, but since my work (if I ever get started on it) will be a research project rather than something literally billions of people rely on daily, I think I can afford to get away with it.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.