XcodeGhost iOS malware: The list of affected apps and what you should do
Researchers recently found a piece of iOS malware called XcodeGhost in a number of apps in the Apple App Store. The creator(s) of XcodeGhost were able to sneak the malicious code into these apps without the app developers’ knowledge. These unsuspecting apps include popular consumer apps like WeChat and CamCard, showcasing the potential for the XcodeGhost malware to impact is potentially hundreds of millions of victims.
What is XcodeGhost?
XcodeGhost is a piece of malware that can steal data and potentially trick people into providing personally identifiable information. The creator(s) behind XcodeGhost were able to repackage a tool used by legitimate iOS and OSX developers to create apps. When those developers created their apps using this tampered-with tool, they unknowingly inserted malware into their apps, though the developers did need to knowingly disable some security checks in order to use this tool.
The malware made its way into a growing list of apps that were published live to the Apple App Store. Our understanding is that Apple is working to remove these apps from the App Store.
How might it affect me?
The malware removes information off the device like the device’s name, country, and unique identifiers. According to Palo Alto Networks, it may also have the ability to push dialogue boxes to your iPhone or iPad’s screen. Theoretically, a bad guy could use one of these dialogues to steal your username and password or other personal information.
The malware may also be able to open websites in your mobile browser, which could be used for a variety of malicious purposes again including phishing and installing other potentially malicious software.
Does Lookout protect me?
Unfortunately due to limitations Apple has placed on apps on the iOS platform Lookout Mobile Security for consumers is not able to detect whether you have an infected app installed. Apple has made recent changes to iOS that make it more difficult for one app to understand which other apps are present on the device. We are always looking for new ways to protect iOS devices from malware and hope to be able to improve our detection capabilities in the future.
In the meantime, we recommend users:
- For anyone that has one of the apps listed below — update them if an update is available, or delete them immediately and wait until the developer releases a new version with the malicious code removed.
- If one of these apps is running on your device, we also recommend that you change your Apple ID password and be wary of any suspicious emails or push notifications to your device asking for personal information.
- In general, be wary of apps pushing dialogue boxes to your screen asking for personal information without first being aware of who is asking for it
- If you have used your Apple ID password on any other accounts, you should change the password for those accounts, too.
What are the apps?
We are actively adding apps to the list below that Lookout has independently confirmed to be affected by XcodeGhost. This list is not exhaustive and we will be maintaining it below, including information on whether it has been patched and what you should do.
To check if a developer has pushed an update to the app, go to the Apple App Store on your device, navigate to that app, and look for an “Update” button. If you are running the latest version of an app this button will say “Open” instead of “Update.”
LifeSmart
- Action: Uninstall immediately
- Current status: Still malicious
- Last version checked: 1.0.45
- Action: Uninstall immediately
- Current status: Sill malicious
- Last version checked: 2.1.02
- Action: Update to latest version
- Current Status: Patched
- Last version checked: 6.2.6
- Action: Uninstall immediately
- Current Status: Still malicious
- Last version checked: 4.2
- Action: Uninstall immediately
- Current Status: Still malicious
- Last version checked: 3.6
- Action: Uninstall immediately
- Current Status: Still malicious
- Last version checked: 4.3.8
- Action: Uninstall immediately
- Current Status: Still malicious
- Last version checked: 1.8.0
- Action: Uninstall immediately
- Current Status: Still malicious
- Last version checked: 2.1.1
- Action: Uninstall immediately
- Current Status: Still malicious
- Last version checked: 1.1.6
- Action: Uninstall immediately
- Current Status: Still malicious
- Last version checked: 3.6.5
- Action: Update to latest version
- Current Status: Patched
- Last version checked: 2.9.0
- Action: Update to latest version
- Current Status: Patched
- Last version checked: 4.2.9
- Action: Uninstall immediately
- Current Status: Still malicious
- Last version checked: 1.1.0
- Action: Uninstall immediately
- Current Status: Still malicious
- Last version checked: 1.8.1
- Action: Uninstall immediately
- Current Status: Still malicious
- Last version checked: 3.8.1
- Action: Uninstall immediately
- Current Status: Still malicious
- Last version checked: 3.8.1
- Action: Uninstall immediately
- Current Status: Still malicious
- Last version checked: 3.2
- Action: Uninstall immediately
- Current Status: Still malicious
- Last version checked: 2.40.01
Other companies have suggested that there are hundreds to thousands of apps that may be affected. We are working to independently confirm these apps are malicious:
- 网易云音乐
- 微信
- 讯飞输入法
- 滴滴出行
- 滴滴打车
- 铁路12306
- 下厨房
- 51卡保险箱
- 中信银行动卡空间
- 中国联通手机营业厅
- 高德地图
- 简书
- 开眼
- Lifesmart
- 网易公开课
- 马拉马拉
- 药给力
- 喜马拉雅
- 口袋记账
- 同花顺
- 快速问医生
- 懒人周末
- 微博相机
- 豆瓣阅读
- CamScanner
- CamCard
- SegmentFault
- 炒股公开课
- 股市热点
- 新三板
- 滴滴司机
- OPlayer
- 电话归属地助手
- 愤怒的小鸟2
- 夫妻床头话
- 穷游
- 我叫MT
- 我叫MT 2
- 自由之战
- Mercury
- WinZip
- Musical.ly
- PDFReader
- guaji_gangtai en
- Perfect365
- 网易云音乐
- PDFReader Free
- WhiteTile
- IHexin
- WinZip Standard
- MoreLikers2
- CamScanner Lite
- MobileTicket
- iVMS-4500
- OPlayer Lite
- QYER
- golfsense
- 同花顺
- ting
- installer
- 下厨房
- golfsensehd
- Wallpapers10000
- CSMBP-AppStore
- 礼包助手
- MSL108
- ChinaUnicom3.x
- TinyDeal.com
- snapgrab copy
- iOBD2
- PocketScanner
- CuteCUT
- AmHexinForPad
- SuperJewelsQuest2
- air2
- InstaFollower
- CamScanner Pro
- baba
- WeLoop
- DataMonitor
- 爱推
- MSL070
- nice dev
- immtdchs
- OPlayer
- FlappyCircle
- 高德地图
- BiaoQingBao
- SaveSnap
- Guitar Master
- jin
- WinZip Sector
- Quick Save
- CamCard
I have to rest my email address box so it not cc I am trying I no I am slow I am sorry
Thanks a lot for this Advance
Thank you for the update. Only one app affected via IOS. Great job.
Thanks for the alert. It is helpful to have info in a timely manner.
What about CamCard for Android?
I see that you don’t have app’s listed in English why don’t you I see Chinesse or Japanese but no English. You also have this email in America I would like app’s in English as well.
Thanks don’t have those unless Chinese version is the same thing but thanks
I just updated and now I have 2 new apps. Why? I’ve tried to delete them but no x comes up they shake but no x to delete. I don’t want news and finding friends
Thank you for the malware infected apps list. Please post a translation into English for all infected apps only identified in Chinese characters.
Hi Margaret, these applications do not actually have English names. You would see the Chinese name listed if you had that particular app on your device. Hope this helps!
Hi Donado, these applications do not actually have English names. You would see the Chinese name listed if you had that particular app on your device. Hope this helps!
Hi Nancy, it sounds like you might be seeing two new apps that Apple shipped with iOS 9. If those are the apps you are seeing, they are created by Apple and are not removable from the device.
Thank you, Lookout you are on it again. So, happy to have you having my back, per se.
Why is apple not notifying users about this issue and banning the download of these apps. Thanks for the heads up. I only had one app listed and removed.
Why are these apps still available for download on the app store?? Apple needs to get its sh*t together asap
Also, shouldn’t Lookout have been protecting us from downloading such malware??
Thankfully I have you guys watching my back!
Thank you for the information!!!!
GOD BLESS YOU
Because of limitations Apple has placed on apps on the iOS platform, Lookout, nor any other mobile security provider, can detect and protect against xcodeghost in its consumer-facing product available through the App Store. Apple does, however, provides additional capabilities to enterprises to understand how iOS devices are used and we can leverage these APIs to offer protection through our enterprise product, Lookout Mobile Threat Protection. Unfortunately, they don’t allow the same APIs for consumer products.