[BreachExchange] Apple kept mum about XcodeGhost malware attack against 128M users

Destry Winant destry at riskbasedsecurity.com
Thu May 13 10:38:07 EDT 2021


https://www.hackread.com/apple-xcodeghost-malware-attack-against-users/

According to reports, nearly 128 million iOS users downloaded apps
containing the XcodeGhost malware but Apple did not inform victims about
the attack.
In March 2021, Hackread.com reported the supply-check attack in which
XcodeSpy malware was used to target developers using Xcode integrated
development environment, and a similar malware was used back in 2015. It
was codenamed XcodeGhost, and it allowed attackers to insert malicious code
in legitimate apps using rogue versions of Xcode downloaded from
third-party websites.

It must be noted that Xcode is Apple’s app development tool. Back then, it
was reported that Apple stopped the attack quickly.

However, according to a new report, emails presented during the Epic Games
vs. Apple court proceedings have revealed startling new details on that
particular attack. It turns out that nearly 128 million iOS users
downloaded the apps containing the XcodeGhost malware. Reportedly, Apple
kept this malware attack a secret and didn’t share the impact’s full
details.

An Epic Spillover
Both the companies are fighting a battle in the court after Apple removed
Battle Royale game Fortnite from its App Store in August 2020 after Epic
implemented an in-app payment system to bypass Apple’s 30% fee for in-app
purchases.


Ars Technica, who initially reported on the case findings, stated that Epic
has revealed a series of emails revealing Apple management chose not to
inform the 128 million affected iPhone users about the biggest ever mass
compromise of the iOS ecosystem.

The hack came to light in 2015 when iPhone 6S was launched, and
cybersecurity researchers at Palo Alto Networks were investigating the
XcodeGhost malware attack. It was reported that 40 apps available on the
App Store contained malicious malware.

But initially, the number of apps was much higher as a total of 4,000 apps
were infected with the malware. Moreover, researchers noted that the
infected app contained code that made iOS devices part of a botnet to steal
user data.

Apple’s Reputation At Stake?
Epic Games has unleashed a trove of emails where Apple managers discussed
the repercussions of sending out a warning email to 128 million global
users who got affected due to the attack. In one of the reputation denting
emails, Apple App Store’s VP Matthew Fischer wrote to the company’s Senior
Vice President of Worldwide Marketing, Greg Joswiak, and the company’s PR
team Christine Monaghan and Tom Neumayr that:

“Joz, Tom, and Christine—due to the large number of customers potentially
affected, do we want to send an email to all of them?”

“Note that this will pose some challenges in terms of language
localizations of the email since the downloads of these apps took place in
a wide variety of App Store storefronts around the world,” Fischer’s email
read.


“Just want to set expectations correctly here. We have a mass-request tool
that will allow us to send the emails, however, we are still testing to
make sure that we can accurately include the names of the apps for each
customer,” Apple’s iTunes’ then-customer experience manager Dale Bagwell
wrote in another email.

Interestingly, this email wasn’t ever sent out, and Apple’s rep couldn’t
provide any evidence to the court of the email being written or sent.

Whether or not the email was sent out, the fact that Apple opted not to
notify its users about the mass compromise definitely hurts its reputation
as a privacy-focused company six years back. It has always marketed itself
as a company dedicated to safeguarding user privacy and even had a
much-hyped face-off with the FBI. By sharing the emails in court, Epic
Games has achieved its target of hurting Apple’s reputation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210513/2ae260be/attachment.html>


More information about the BreachExchange mailing list