How did the attackers get their code into those apps?
By being really sneaky. Instead of targeting individual apps, whoever created the malicious code implanted it in a version of the software tools used to make apps for Apple tablets and phones - a toolset called Xcode. Many developers, and big companies, apparently used the booby-trapped version because it downloaded quicker in China than the official version from Apple.Is it just a problem in China?
No, but the vast majority of the apps found to be harbouring the malicious code are made wholly for China or are versions customised for the region. However, further analysis is revealing that a few used widely outside China are also affected. The list is growing all the time and so far about 50 apps are known to be vulnerable.What does the nasty code do?
It can grab the unique identification numbers on a phone or tablet and get at other information about that device and who is using it. The malware also lets its creator communicate with a compromised phone to send fake alerts, hijack web links or read data. So far, there are no reports of attacks exploiting the booby-trapped code in the wild.What should I do if I am at risk?
Stay calm. Check the list to see if you are using a vulnerable version, If so, uninstall it. Check the website of that app maker and look for information about how to get a safe version. Be on the lookout for unsolicited alerts or if web browsing via an Apple device is redirected. It also might be worth resetting iCloud and other passwords set up or used via your tablet or phone. Do this on a separate computer and not on a potentially vulnerable device.Some security firms are warning that if one group or person has managed to subvert Apple tools, others might be able to do the same. More App sTore malware might be on the way.
Who was behind this attack?
We don't know. We do know that mobile malware makers are very active in China because there have been a lot of attacks on jailbroken phones. It is the world's biggest market for smartphones which means lots of potential victims.But this attack bucks the trends in mobile crime for several reasons.
Firstly because of its scale. Millions of victims means an admin headache for any attacker keen to monetise the malware. While there are a lot of mobile attacks they tend to go for smaller groups that produce a manageable stream of data.
Secondly, malware makers prefer to stay hidden. Ideally they want their malware to lurk on a handset for weeks or months so they can slowly siphon off small sums of cash, steadily steal saleable information or feed in ads. This attack has made a very big impact and got people looking for the malware it spawned.
Thirdly, it looks like the booby-trapped version of Xcode has been posted to Github - a place where software developers share code so others can use it, update it or change it to suit their own ends. This is odd because malware makers do not tend to share their creations.
Text alongside the shared code "apologises for the problems brought upon everyone by the XcodeGhost incident" leading some to question whether it was malicious or a mistake.
Why do they do it?
Money. Most phones are linked to a payment system so criminals are keen to find ways to tap into that stream of cash. This often means mobile attacks are aimed at people in the same nation as a criminal.The App Store is a tempting target for malware makers because, before now, Apple did a good job of securing it. Plus many Apple users have significant disposable income that attackers are keen to siphon off.
There are persistent rumours that some security researchers have made huge sums by selling previously unknown iOS vulnerabilities to governments.
What do we know about Chinese hackers?
We know that malicious hackers are very active in China and, like any modern nation, it has a busy cybercrime economy. In addition, many crime groups outside the nation pipe their attacks through compromised machines in China to make it hard for law enforcement to trace them.
China also has a large number of hacker groups that operate as proxies of the state. These carry out all kinds of attacks beyond China's borders. China has persistently denied any official involvement in these cyberassaults. However, the scale of the state apparatus that oversees the web in China makes many people sceptical that these groups could operate without tacit approval.
The attack is embarrassing as it was discovered just before a diplomatic meeting involving the US and China at which hacking, industrial espionage and cybercrime are due to be discussed.
No comments:
Post a Comment