Got a tip for us?
New in OS X: Get MacRumors
on your Mac
What You Need to Know About iOS Malware XcodeGhost
Sunday September 20,
Earlier this week, Chinese developers disclosed new iOS malware called XcodeGhost on microblogging service . U.S. cybersecurity firm Palo Alto Networks has since
about the malware.
MacRumors has created a FAQ so you can learn more about XcodeGhost and how to keep your iOS devices protected.
What is XcodeGhost?
XcodeGhost is a new iOS malware arising from a malicious version of Xcode, Apple's official tool for developing iOS and OS X apps.
How is XcodeGhost distributed?
A malicious version of Xcode was uploaded to Chinese cloud file sharing service Baidu and downloaded by some iOS developers in China.
Chinese developers then unknowingly compiled iOS apps using the modified Xcode IDE and distributed those infected apps through the App Store.
Those apps then managed to pass through Apple's code review process, enabling iOS users to install or update the infected apps on their devices.
Which devices are affected?
iPhone, iPad and iPod touch models running an iOS version compatible with any of the infected apps. The malware affects both stock and jailbroken devices.
Which apps are affected?
Palo Alto Networks has shared a , including WeChat, NetEase Cloud Music, WinZip, Didi Chuxing, Railway 12306, China Unicom Mobile Office and Tonghuashun.
How many users are affected?
XcodeGhost potentially affects more than 500 million iOS users, primarily because messaging app WeChat is very popular in China and the Asia-Pacific region.
Which unofficial versions of Xcode are affected?
All unofficial versions between Xcode 6.1 and Xcode 6.4.
How does XcodeGhost put my iOS devices at risk?
iOS apps infected with XcodeGhost malware can and do collect information about devices and then encrypt and upload that data to command and control (C2) servers run by attackers through the HTTP protocol. The system and app information that can be collected includes:
Current time
Current infected app’s name
The app’s bundle identifier
Current device’s name and type
Current system’s language and country
Current device’s UUID
Network type
Palo Alto Networks also
that infected iOS apps can receive commands from the attacker through the C2 server to perform the following actions:
Prompt a fake alert dialog to ph
Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS
Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.
Can XcodeGhost affect users outside of China?
Yes. Some of the iOS apps infected with XcodeGhost malware are available on the App Store in countries outside of China. CamCard, for example, is a popular business card reader and scanner app available in the United States and several other countries, while WeChat is a popular messaging app in the Asia-Pacific region.
Why would some Chinese developers download Xcode from Baidu?
Xcode is a large file that can take a long time to download from Apple's servers in China, leading some developers to download Xcode from unofficial sources.
How are Apple and Chinese developers dealing with XcodeGhost?
Palo Alto Networks claims that it is cooperating with Apple on the issue, while multiple developers have updated their apps to remove the malware.
Apple has since issued the following statement to :"We’ve removed the apps from the App Store that we know have been created with this counterfeit software. We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps."How do I protect myself against XcodeGhost?
iOS users should immediately uninstall any infected iOS app
on their devices, or update to a newer version that has removed the malware. Resetting your iCloud password, and any other passwords inputted on your iOS device, is also strongly recommended as a precautionary measure.
Developers should install official versions of
from Apple's website for free and avoid downloading the software from unofficial sources.Tags: , , ,
darn it, I thought only android gets malware.
wechat is used in many countires :(
Seriously what developer who knows anything about security is going to download an IDE from a non official source?
That's like downloading an OS from The Pirate Bay and being shocked the file was injected with malicious code.
Rating: 63 Votes
i'm sorry but how can a developer be such an idiot (please don't ban me, there's no other word to describe
patient's condition) to download Xcode from a chinese cloud file sharing service????
Rating: 56 Votes
How do I protect myself against XcodeGhost?
iOS users should immediately uninstall any infected iOS app listed here ('/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/') on their devices, or update to a newer version that has removed the malware. Resetting your iCloud password, and any other passwords inputted on your iOS device, is also strongly recommended as a precautionary measure.
My thought is I am all done with any company that would use an Xcode version they got from a file sharing site rather than Apple directly. I would never trust them again.
Rating: 48 Votes
Can't you just list all 39 apps? Looks like the servers from Palo Alto Networks can't handle it.
Infected iOS apps
网易云音乐
讯飞输入法
4.0.0.6-4.0.0.0
3.9.7.1 – 3.9.7
51卡保险箱
中信银行动卡空间
中国联通手机营业厅
网易公开课
快速问医生
CamScanner
SegmentFault
炒股公开课
电话归属地助手
愤怒的小鸟2 2.1.1
夫妻床头话
Fox-IT ( ('/')), a Netherlands based security company, checked all C2 domain names from our reports in their network sensors and has found thousands of malicious traffic outside China. According to their data, these iOS apps were also infected:
Musical.ly
guaji_gangtai en
Perfect365
网易云音乐
PDFReader Free
WinZip Standard
MoreLikers2
CamScanner Lite
MobileTicket
OPlayer Lite
golfsensehd
Wallpapers10000
CSMBP-AppStore
ChinaUnicom3.x
snapgrab copy
PocketScanner
AmHexinForPad
SuperJewelsQuest2
InstaFollower
CamScanner Pro
DataMonitor
FlappyCircle
BiaoQingBao
Guitar Master
WinZip Sector
Quick Save
Rating: 28 Votes
So... It begins.
iOS has been breached through the one thing that kept us safe. The App Store.
Rating: 27 Votes
I don't think that's a correct analysis of the situation.
What has really happened here? Developers have used the wrong tool (we'll discuss that later) and that tool has embedded some unwanted additional code in their apps. BUT look what still worked
- each broken app STILL has to be submitted to the app store, with identification and an audit trail
- even when the app is on an iOS device, there are severe limits to what it can do. It still can't break out of the OS protections, randomly control the device, etc. The type of info being sent back to base is, let's face it, not THAT serious --- not ideal, but not control of the machine.
- The items that ARE problematic (and which Apple should work on fixing) are items that were problematic before we knew about this, and that have been used in other contexts --- the ability to phish for passwords by throwing up fake dialog boxes, and the way the current sandboxing FORCES Password apps like 1Password to transfer data over the Clipboard.
What this REALLY provides is a way to throw out a bunch of these phishing scams in a way that can't be traced back only to the developer using the wrong tool.
Which gets us to that issue. I don't know enough about XCode to know what was and was not breached on that front. Obviously the entire XCode package should be signed, and obviously if you're stupid enough to install an XCode package that complains about being unsigned, you're setting yourself up for trouble. But blaming the victim, especially when the security landscape changes every year is not helpful --- how could Apple do better?
You can't really avoid people being able to write their own compilers and dev tools, and you can't stop those dev tools from doing god knows what to the code they create --- this has been known since Pike's infamous C compiler of the early seventies.
What you SHOULD be able to do is not allow code that has been created by such dev tools into the app store. THAT seems to be the flaw that needs to be fixed --- that any tool that's generating binaries that will land up in the store needs to be provably signed. But I don't know how feasible that is. Obviously the last stage (the actual store submitter app) is provided by Apple and signed, and using the developers signature. But what about the linker beforehand? And the compiler before that? And you then need the binaries passed between the two to be encrypted? It's just totally inimical to the current expected model of how we code.
So what about at a higher level? Do something that's a ugly hack, but basically FORCE that any installer that calls itself "XCode" has to be signed no matter what? That's one package that you can't install regardless of your GateKeeper settings except from Apple. But then you get a wack-a-mole of packages called "XCode 7" and "XCode!" and "XCode Pro".
Good analysis, but there is something Apple could have done, and I have been saying as much for over a year. Here's the more strongly worded one:
They should ban their in-house teams from throwing up a password request box. Absolute ban. It has got out of hand recently with stock apps asking for the password without any justification or explanation and pretty much at random. I've said it over and over, Apple have been training their users for exactly this scenario - enter password whenever anyone asks. If an app needs the iCloud password it should instruct the user to enter it in the appropriate settings page. Train users: only the settings app should be trusted with passwords.
Rating: 26 Votes
And how hard is it to actually read the original article, which addresses this?
Why would some Chinese developers download Xcode from Baidu?
Xcode is a large file that can take a long time to download from Apple's servers in China, leading some developers to download Xcode from unofficial sources.
Why can't Apple sign the Xcode so it will only work if it's downloaded from Apple servers ?
Rating: 24 Votes
If infected apps can pass through Apple's iOS app gates it undercuts Apple's security rational for insisting on a Walled Garden.
No, it doesn't, because once Apple recognizes that kind of a problem, they can also fix it from that one central location. Without that "walled garden" approach, every user would now have to install a malware scanner and hope that it will get updated with profiles for the new malware.
Admittedly I know zip about coding but seems Apple is betraying it's users here and could have avoided this situation. I Hopefully this is a wake up call.
How could Apple have avoided that situation? How did Apple betray its users? Apple did not force anyone to download a compromised Xcode version. The only "mistake" Apple made was not to recognize the malware in the review process. But that is hardly trivial.
Oh, no I just realized that you already said "I have no clue about the topic at hand, but I will make unfounded claims!"
Rating: 17 Votes
If that Chinese hacker has enough skills to bypass the Appstore review process and infect 500 million devices I'm wondering if this is just the tip of the iceberg.
Rating: 14 Votes
Right? How hard is it to
and go from there?
And how hard is it to actually read the original article, which addresses this?
Why would some Chinese developers download Xcode from Baidu?
Xcode is a large file that can take a long time to download from Apple's servers in China, leading some developers to download Xcode from unofficial sources.
Rating: 13 Votes
9 hours ago on
2 days ago on
3 days ago on
3 days ago on
3 days ago on
3 days ago on
3 days ago on
MacRumors attracts a broad audience
of both consumers and professionals interested in
the latest technologies and products. We also boast an active community focused on
purchasing decisions and technical aspects of the iPhone, iPod, iPad, and Mac platforms.
Editorial Director
Editor in Chief
Video Content Producer
Contributing Editor
Contributing Editor
Contributing Writer
Contributing Writer
Copyright & 2000- , LLC.The dark side of venture capital: Five things startups need to know - TechRepublic
Image: iStockphoto/darak77
Nearly $27 billion dollars was invested by venture capitalists in 2012. That $27 billion was invested across 3,723 deals, making the average deal hover at a little over $7 million.While that number may seem staggering to many people, it's about average for VC investments made since the dot com bubble burst between 2000 and 2001, according to the
(NVCA). Yes, the economic impact of the dot com bubble was horrendous, but it did spawn a renewed sense of innovation in startup development. Companies are running leaner than ever, and because of that VCs are more willing to invest in companies who don't pride themselves on their burn rate. Still, raising venture capital funding can be a risky business if you aren't realistic about what to expect.Here are some things to think about if you are considering raising your first round. 1. Statistically, you will fail
The venture capital investment process is a complicated one and potential companies are vetted thoroughly before they are committed to. With that being said, just because your company is backed by a major VC you aren't guaranteed success. Think about those 3,723 deals that happened in 2012. In that same year there were only 49 IPOs and 449 mergers and acquisitions (M&A) deals. Granted, those exits came from companies that were invested in probably a decade ago, it is still an interesting ratio to consider. Micah Rosenbloom, a venture partner at , said that historically, only one out of every 10 companies that a firm invests in with a given fund will be successful. That's not to say that all of the remaining companies will fail, though. According to Tomasz Tunguz, a partner at , "Typical portfolio company failure rates across the industry defined as either shutdowns or returning capital are roughly 40%-50%."
This isn't to discourage hopeful founders that are seeking capital, but to ground your expectations in reality. Besides, entrepreneurship is about having the courage to fail, right? The fact that you are more likely to fail is a fact of life for venture-backed companies, it is not an expectation for the VCs making the investment."You never invest in a company thinking that it will fail," Tunguz said.A VC investment in your company does not guarantee success, but it does mean you have someone in your corner who believes you have what it takes to make this thing work. Once you have a VC in your corner, you have to make sure you are in sync on what it will take to make this a worthy investment. More importantly, you have to know how long it will take for this investment to pay off. 2. There is a timeframe for ROI"Typical venture funds are structured as 10 year commitments for the limited partners who invest in the fund," Tunguz said.Venture capital firms are ten-year vehicles for investors, but that doesn't mean that all companies will be ten years old when they return on the investment. Rosenbloom mentioned that initial investments are made in the first three years. After the portfolio has been establish, a firm will typically make follow-on investments over the remainder of the fund's lifecycle. Ten years may sounds like a long time, but you have to consider how long companies like Coca-Cola have been around (since 1892) and some companies that were started in the 2000s have a comparable valuation to Coke. Founders Collective is usually the first institutional round in a company, and Rosenbloom said that they aren't looking for the next cool invention."As a venture capital firm, we are not in the business of funding inventors or inventions, we are in the business of funding fast-growing companies," Rosenbloom said.Considering the first three years as initial investments, a company could only have seven years to "make it." Some VCs, like Rosenbloom, consider seven years the average age for ROI, and the data from NVCA supports that claim. The NVCA reported in their
that, of the 49 IPOs that happened in 2012, the median age for IPO was 7 years old and the mean age for a company to IPO was 8 years old. While some have argued that it is taking longer for startups to mature, Tunguz argues, "The gestation period will likely fall some because of the tremendous exit activity in M&A and IPOs in the last 24 months." To help you make it through the whirlwind of growth that can happen after an investment, you have to know how much capital you need and when you need it.3. You can take too much funding"All too often, entrepreneurs will think of raising a Series A round from a reputable VC as the end goal and don't think they can be successful unless they do so. So they reprioritize raising capital over building a valuable product or service and usually end up asking for too much money too soon which ends up in a failed fundraising attempt or a raise on bad terms for the entrepreneur," said Hrach Simonian, a principal at . As I mentioned in a , knowing how much money you need can make all the difference in your venture capital experience. It starts by understanding how much money you need and only raising that much money. Raising too much money can force entrepreneurs to make decisions they aren't ready to make."If you raise too much money, you have to swing for the fences," Rosenbloom said. You want the amount of money you raise to coincide with the benchmark you are trying to hit. If you don't have a specific benchmark in mind (which you really should), a good rule of thumb is to consider the amount of capital it takes to sustain your operations for 18 months, then add 25-50 percent for added flexibility and seek to raise that amount of money.Tunguz said that raising too much capital is far from the gravest sin to be committed by an entrepreneur, "But having a huge sum of money in the bank can entice founders to dramatically increasing burn rate or diffuse the company's energy among many projects. It can be challenging to maintain the same execution discipline created by the scarcity of capital when the bank account is overflowing."Another risk of raising too much capital is setting the bar too high for your exit. By doing so you will run the risk of not being able to grow into the expectation that was set by raising a large amount of money. Remember to raise enough to get yourself to the next stage where you can assess whether or not you need to raise more money. Keep in mind that once you choose a firm and raise those funds, that VC will probably get a permanent seat on your board of advisors. Choose carefully, because you are usually stuck with that investor for good. 4. You can't fire your VCToo many founders abdicate their due diligence when it comes to the firms they end up pitching. Each venture capital firm has its own general focus on specific sectors or verticals. Taking that to a more granular scale, each partner within each specific firm maintains investments in a focused area of expertise.Founders typically don't appreciate the incentive structure on the side of the fund, which is based on the size and the dynamics of that fund. Understand how the fund makes money to determine if it is a good fit for you. The size of the fund will be a good determinant for whether or not your company will present a quality investment opportunity for the partners.You have to think of your VC firm as another partner in your business.
This leads to one of the single most important aspects of your startup/VC relationship: Make sure your goals for your company line up with your VC's goals for his or her investment. By aligning your goals with those of your VC, you can help potentially avoid a disaster scenario.
"The disaster scenario is that the founding team wants to do something different than the board," Tunguz said.
The risk/reward curves are different for entrepreneurs than they are for VCs, and board members (including your VC) have a legal responsibility to take into account the goals of the investors. So, if your company is losing steam and an acquisition opportunity comes along that is in the best interest of your investors, they might push you to take it, even if it means you don't get paid. But, of course, you can avoid all that potential heartache by not taking funding to begin with.5. Failure isn't deathMicah Rosenbloom describes venture capital as jet fuel. If you want to drive somewhere 100 miles away, you'll probably drive there. If you want to get from New York to Los Angeles, you're going to have to fly, and you will need fuel to power that jet.Venture capital gives you potential—the potential for major success and the potential to fail spectacularly. The good news here—the gospel of venture capital if you will—is that failure is not the end of the story if you play your cards right. Despite stereotypes, most VCs are actually looking to build relationships with entrepreneurs, not just make money off of them."The Valley is small, and life is long," Tunguz said.According to Tunguz, when it comes to his work at Redpoint Venture, great relationships are the motivation, because even if you fail it's not the end of the world. What is much more important is how you fail and how transparent you are throughout the process. If you keep people informed when you hit a snag and ask for help with a problem, you can build trust with your investors.
Venture capital investors want to know that you will be a good steward of the funds they placed under your control. If you can prove yourself a highly competent entrepreneur and someone who will push as hard as they can to make an idea work, failure will not mean the end of your career as an entrepreneur. At that point, even if you fail, past investors and people involved with your company will be far more likely to fund your next project if they trust the way you work. As an entrepreneur, burning bridges is unwise. Treat people with respect to build social capital, but don't see them as just a resource either. Other than that, always remember that if you're going to fail, fail big and go down swinging.
About Conner Forrest
Conner Forrest is News Editor for TechRepublic. He covers startups and enterprise technology and is passionate about the convergence of tech and culture.
Conner Forrest has nothing to disclose. He doesn't hold investments in the technology companies he covers.
Conner Forrest is News Editor for TechRepublic. He covers startups and enterprise technology and is passionate about the convergence of tech and culture.
Tech News You Can Use
We deliver the top business tech news stories about the companies, the people, and the products revolutionizing the planet.
Delivered Daily
Best of the Week
Our editors highlight the TechRepublic articles, galleries, and videos that you absolutely cannot miss to stay current on the latest IT news, innovations, and tips.
Delivered Fridays