XcodeGhost Infected Apple Apps Are Still Being Used

Security firm FireEye contends that 210 enterprises are still using XcodeGhost infected applications, deeming the malware a “persistent security risk.”

FireEye researchers have discovered that plenty of U.S.-based enterprises are still using infected applications that contain the XcodeGhost malware, a counterfeit version of Apple’s application development toolkit Xcode.

In a blog post, the security firm notes the continued presence of the XcodeGhost malware to be a “persistent security risk,” considering the fact that malware-infected applications are still in use.

Dubbed XcodeGhost, the malware routinely exploits applications built within its toolkit by embedding hidden code that collects user and device information wherever it is installed.

It is more than likely that the developers behind the infected applications are unknowingly downloading the infected toolkit because of the slower official channels where delayed and slow download speeds are a reality due to the Chinese national firewall.

In what is commonly seen as the first major malware breakout to affect applications in Apple’s notoriously hard-to-crack App Store, the tech giant proceeded to remove the infected applications while insisting that developers work on clean versions of their applications.

Related article: Hackers Infect App Store with Malware, Apple Pulls Infected Apps

Since the time of the official boot, many applications have since been restored. Despite the updates, many end-users continue to make use of the infected applications on their devices. For instance, FireEye notes that 70 percent of Apple mobile devices that are affected still haven’t upgraded to iOS 9.

These applications continue to contact the command-and-control (C&C) servers hosted by the developers of XcodeGhost. Some of the infected strains of applications include the popular WeChat messaging application that is commonly used by hundreds of millions of end-users.

The fact that C&C servers are still up and running while infected apps continue to try and reach out to them is concerning for a number of reasons. These communications are also unencrypted, leaving it ripe for an exploit by hackers who may use the information for other devious purposes.

To tackle these issues, some companies have taken the measure to block network traffic and DNS queries leading back to the XcodeGhost C&C servers.

However, FireEye adds:

Until these employees update their devices and apps, they are still vulnerable to potential hijacking of the XcodeGhost C&C traffic – particularly when outside their corporate networks.