In an interesting bit of social engineering hackers in China managed to convince developers to download and install a malicious version of the Apple developer tools. Developers who downloaded the malicious code kit then went on to write software that inadvertently included backdoors, the ability to push false information to phones, etc.

It was entirely possible to become a victim of malware by downloading an app that the developer had no intentions of doing anything maliciously. The result was the same however.

The event is being called XcodeGhost, presumably because a ghost added code.

The normal rules of smartphone ownership sort of went out the window with this one as this did not require a user to do anything sketchy (root, jailbreak, install from third party,) and was not coming from developers of ill repute, just developers who got tricked into installing what they believed were required updates.

Apple is working to remove any apps containing the XcodeGhost malware, which included a hugely popular car hailing app (unnamed,) WeChat, and a music service.

The BBC is reporting that the malicious code could push notifications to trick you into giving out identifying information, however the details are not listed as to what they could possibly do.

There are no numbers as of yet for how many apps were infected, nor do I see any assurances that the same thing wasn’t going on in the US version of the App Store.

It seems as though Apple could probably add a layer of security to verify that the compiler/app development kit had not been tampered with prior to code signing. It will be interesting to see how this develops.

[BBC]