Akamai Diversity

The Akamai Blog

XCodeGhost Haunts the 'Net

The DNS offers visibility into many kinds of Internet trends including various security threats. We've reported extensively on DNS DDoS and Nominum, now part of Akamai, Data Science also tracks botnet activity. In this case queries for Command and Control (C&C) domains for the recently disclosed XcodeGhost malware were observed in September. Infected development tools were reported to have been used for the popular iOS app WeChat.

As can be seen from the graphs below queries for the C&C domain: init.icloud-analysis.com associated with Xcode Ghost were observed starting in early September, jumping up on September 10, spiking the 11th and 12th  and then receding somewhat. The malware author reportedly took down the C&C server on the 11th. Infected nodes may still query even when their control is down. A patch for one of the most popular infected apps, WeChat, was released on the 12th which explains why queries dropped significantly after that. Although it's encouraging to see consumers actually patch software when informed of exposure it appears a fair number, around 10%, still hadn't even a week after the patch was released.


The next chart shows unique IPs querying for the C&C domain, a reasonable gauge of infection rates. The data set used for this analysis only reflects a small subset of mobile traffic - our estimate is roughly 1% of overall network operator traffic for this data set. Infections were observed in Asia and Europe but the data set does not include China itself where the infected apps are known to be highly popular so overall infection rates are likely to be much higher.


XcodeGhost malware has received attention since it reveals a way hackers can get apps infected with malware into Apple's App Store. Infected versions of Apple's developer tool, Xcode, appeared on a popular download site in China (reports indicate infected downloads were removed when operators of the sites were informed of the problem). Developers who used the infected tools, likely without knowing it, created infected apps. Interestingly the infected apps evaded App Store controls Apple has in place. When Apple became aware of the problem the infected apps were removed immediately.

In this case, the malware appears fairly benign, collecting information from phones and uploading it to a server. An Apple advisory stated: "We have no information to suggest that the malware has been used to do anything malicious or that this exploit would have delivered any personally identifiable information had it been used." It is less clear whether more invasive malware can be created and distributed if developers with malicious intent use the same technique.

Software developers outside large highly developed countries often face challenges. Even simple things like downloading large files can be hard and in some cases filters block access to necessary software components and tools so developers resort to secondary sources.   In this case it was easier for developers to download infected tools than legitimate versions from Apple developer sites. Apple also released tools that allow developers to verify the integrity of Xcode releases in addition to stressing the importance of downloading from known legitimate sites.   In this case there is no indication the developers intended to create and distribute malware - their actions releasing patches promptly reflect good intentions, but again it is less clear whether malicious exploits could be deployed. If it were to happen DNS data will be useful observing the results.