Posted by: David Harley | November 5, 2015

XcodeGhost – not yet Exorcised

…certainly not according to FireEye, whose researchers tell us that a wide range of industries are still running apps compromised by XcodeGhost-compromised apps, information based on their observations of attempts to connect to its C&C servers. The article includes a link to the 20 most active apps out of 152 monitored.

While some of the infected devices are running 9.x.x, around 70% are running on older versions. While I don’t have a problem in principle with encouraging people to upgrade to the latest version (as advocated by FireEye), it’s worth remembering that:

  1. The first release of a new iOS version sometimes seems to include some security flaws: as with all software updates, sometimes stuff gets broken that worked OK before. That doesn’t mean you shouldn’t upgrade, but it’s a good idea to keep track of early issues and minor updates.
  2. There are a lot of devices that can’t be updated to 9.x: to the best of my knowledge – I don’t track these things generally – these include iPhones prior to the 4s, versions of the iPod touch prior to the 5th Generation, and 1st Generation iPads.
  3. System updates don’t fix everything. In fact, FireEye’s article includes a little information on a variant ‘S’ that specifically addresses iOS 9 and is intended to bypass static detection.

David Harley

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: