Apple Confirms Discovery of Malicious Code in Some App Store Products

21 Sep 2015 | Author: | No comments yet »

Apple China apps hacked.

Apple confirmed on Sunday that a tool used by software developers for the company’s devices was copied and modified by hackers to put bad code into apps available on the App Store. (Reuters) – Apple said on Sunday it is cleaning up its iOS App Store to remove maliciousiPhone and iPad programs identified in the first large-scale attack on the popular mobile software outlet.Some of the most popular Chinese names in Apple’s App Store were found to be infected with malicious software in what is being described as a first-of-its-kind security breach, exposing a rare vulnerability in Apple’s mobile platform, according to multiple researchers. The company disclosed the effort after several cyber security firms reported finding a malicious program dubbed XcodeGhost that was embedded in hundreds of legitimate apps.

The applications were infected after software developers were lured into using an unauthorised and compromised version of Apple’s developer tool kit, according to researchers at Alibaba Mobile Security, a mobile antivirus division of Alibaba Group Holding Ltd. It even brought onstage a doctor associated with a new app that lets clinicians view patients’ appointment schedules and see vital signs, such as heart rates, via the Apple Watch.

WeChat, which has over 600 million monthly active users, said in a blog post that the exploit only affected a prior version of the app released on September 10th; the present version, released two days later, is clean. The list of recently compromised iPhone and iPad apps includes Tencent Holdings’s popular mobile chat app WeChat, Uber-like car-hailing app Didi Kuaidi, and a Spotify-like music app from internet portal NetEase. Security firm Palo Alto Networks investigated XcodeGhost and concluded that it was able to prompt fake phishing dialogs, open URLs, and read and write clipboard data, leading the company to call it a “very harmful and dangerous” piece of malware that has affected at least 39 apps. A search of the term “mobile health” in the Apple App Store produces 22,755 programs that purport to do everything from consolidating personal health records to triaging symptoms.

There’s no evidence that any data theft has occurred yet, but XcodeGhost is worrying because it shows how legitimate developers can be used as a vector for malicious software, bypassing Apple’s code review — a method that the CIA has also considered deploying. One app can even turn a smartphone into a medical device designed to diagnose patients with sleep apnea when a single-lead electrocardiograph (ECG) is connected to the phone.

The tainted version of Xcode was downloaded from a server in China that developers may have used because it allowed for faster downloads than using Apple’s U.S. servers, Olson said. Chinese anti-censorship activist group called it “the most widespread and significant spread of malware” in the app store’s history.

As app makers checked to see whether their products had been infected, Apple and security researchers worked to find and get rid of the bad versions of Xcode, which were all on a cloud hosting service owned by the Chinese Internet company Baidu. Other apps found infected with the malware include those belonging to state-run mobile carrier China Unicom, and 12306, the country’s official train-booking website, researchers said.

Once the infected apps are downloaded, researchers said, the malicious code can open particular websites designed to infect the device with more viruses. The patient might now come to an appointment with ideas on treatment options — and want to take a more active role in treatment by utilizing the tools in their app. This security breach illustrates the lengths to which hackers will go to break into Apple’s hardware and software, which has long been thought of as having superior security. To write apps for Apple devices, developers have to use a tool kit called Xcode, but downloading the official version from Apple’s website can take a long time in China.

Even if a user were inclined to actually locate and read the lengthy terms and conditions, there’s no way to determine if the app was created with the involvement of a medical professional. To the contrary, the fine print on the app’s privacy policy and terms will likely include language warning the end user that the app is “not a substitution for consultations with qualified health care professionals who are familiar with an individual’s medical needs.” Thus, the physician continues to be liable for patients’ care.

The Food and Drug Administration has announced that it will only evaluate mobile medical device apps that are complex in nature, such as controlling delivery of insulin to a pump; serving as a de facto medical device like a glucometer; or using patient-specific information to create a diagnosis or recommend treatment. The FDA will not, as a general rule, evaluate apps deemed to pose less risk, such as those that inform or assist patients in managing their disease without providing treatment suggestions, or apps that help patients track or organize health information. While traditional health care providers are bound by the strict requirements for protecting the confidentiality of patient data under HIPAA, mobile medical apps are not.

For example, one policy says: “To ensure that your information is secure, we have in place commercially suitable physical, electronic, and managerial procedures.

Here you can write a commentary on the recording "Apple Confirms Discovery of Malicious Code in Some App Store Products".

* Required fields
All the reviews are moderated.
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site