When the iBackDoor allows attackers to remotely perform actions like capturing audio and screenshots, monitoring and uploading device location, XcodeGhost C2 traffic can hijack C2 traffic to distribute apps outside the App Store.
FireEye has discovered two threats for iOS. These threats include iBackDoor: New High-Risk Code Hits iOS Apps and XCodeGhost.
iBackDoor: New High-Risk Code Hits iOS Apps
The threat allows attackers to remotely perform actions like capturing audio and screenshots, monitoring and uploading device location, post encrypted data to remote servers and side load non-App Store apps. It also allows for reading, deletion, creation or modification of files and read/write/reset of the app’s keychain.
XCodeGhost Still Alive, More Advanced Samples Infecting iOS9 Found
Last month, iOS users were warned of a threat to their devices by the XcodeGhost malware. Even though Apple quickly reacted, taking down infected apps from the App Store and releasing new security features to stop malicious activities the threat of XcodeGhost has maintained persistence and evolved. XcodeGhost is a persistent security risk, its botnet is still partially active, and a variant called XcodeGhost S reveals more advanced samples went undetected.
FireEye has observed 210 enterprises with XcodeGhost-infected applications running inside their networks, generating more than 28,000 attempts to connect to the XcodeGhost Command and Control (CnC) servers — which, while not under attacker control, are vulnerable to hijacking by threat actors. Germany and the U.S. are the top 2 countries attacked by XGhost mainly in the education and High-Tech industries.
XcodeGhost C2 traffic can hijack C2 traffic to distribute apps outside the App Store, force browse to a URL, aggressively promote any app in the App Store by launching the download page directly and pop-up phishing windows. While most vendors have updated their apps, infected versions of popular apps like WeChat still exist.
Some enterprises have taken steps to block the XcodeGhost DNS query within their network to cut off the communication between employees’ iPhones and the attackers’ C2 servers. However, until these employees update their devices and apps, they are still vulnerable to potential hijacking of the XcodeGhost C2 traffic. Given the number of infected devices detected within a short period among so many U.S enterprises, XcodeGhost continues to be an ongoing threat for enterprises.