In September, the App Store, malware was detected, infected with Trojan XcodeGhost. The largest scale attack in the history of Apple’s app store has affected mainly users in China. However, according to Securitylab, a new, even more sophisticated version of the Trojan infects users ‘ devices in Europe and the USA.
It is alleged that the modification affects XCodeGhost S app for iOS 9 and much better able to avoid detection by static analysis tools. For four weeks, researchers from FireEye have identified 210 companies in the U.S., which used the infected applications, which in total took 28 000 attempts to contact C&C servers. Most systems are infected (62%), is trying to contact servers located in Germany. The second position is the USA (33%).
According to experts, XCodeGhost S was used along with the original XcodeGhost, and their creation is one and the same author. However, it is not excluded that the current activity of the Trojan responsible others. On September 19, two days after it became known about XCodeGhost, the unknown had posted on Twitter an apology for the spread of malware. He said that it was just an experiment in the study of potential gaps in the tool XCode, which could be used to deliver advertising.
Expert information security from ThreatBook Labs Hong Jia told Dark Reading that does not believe in the veracity of the apology, as a Trojan to bypass detection tools is much wider than it said unknown.
Unlike the original XCodeGhost, XCodeGhost S is able to bypass detection by static analysis tools using the concatenation characters, which greatly complicates the process of finding infected applications. To date, the researchers found only two infected program, but in reality they could be much more.