Apple’s iOS App Store suffers first major attack

21 Sep 2015 | Author: | No comments yet »

Apple China apps hacked.

Some of the most popular Chinese names in Apple’s App Store were found to be infected with malicious software in what is being described as a first-of-its-kind security breach, exposing a rare vulnerability in Apple’s mobile platform, according to multiple researchers.

Apple Inc APPL.O said on Sunday it is cleaning up its iOS App Store to remove malicious iPhone and iPad programs identified in the first large-scale attack on the popular mobile software outlet.Usually with official app stores like iTunes or Google Play, trying to sneak malware in can be difficult either due to systems put in place that can automatically detect malware, or because the review process is manual in which malware will be detected by the person(s) conducting the review.Apple has admitted that it is App Store integrity was compromised as apps were secretly infected by fake Xcode tools before submission to the App Store. The applications were infected after software developers were lured into using an unauthorised and compromised version of Apple’s developer tool kit, according to researchers at Alibaba Mobile Security, a mobile antivirus division of Alibaba Group Holding Ltd. The company disclosed the effort after several cyber security firms reported finding a malicious program dubbed XcodeGhost that was embedded in hundreds of legitimate apps.

It even brought onstage a doctor associated with a new app that lets clinicians view patients’ appointment schedules and see vital signs, such as heart rates, via the Apple Watch. Unfortunately sometimes things do slip past such procedures, as is the case over in China as it has been detected that some apps with malware have made it onto the iTunes App Store. A search of the term “mobile health” in the Apple App Store produces 22,755 programs that purport to do everything from consolidating personal health records to triaging symptoms. These infected apps will be able to transmit data about the device they’re installed on and also prompt fake alerts, steal passwords, and read/write information on the user’s clipboard. In separate statements posted to social media over the weekend, Tencent, Didi Kuaidi Joint Co. and NetEase said their applications had been compromised but said no sensitive customer information had been lost. “At present, we haven’t discovered any loss of user information or assets as a result of this [breach], though the WeChat team will continue to monitor and do tests,” Tencent said in a message posted to the Sina Weibo microblogging service late Friday.

One app can even turn a smartphone into a medical device designed to diagnose patients with sleep apnea when a single-lead electrocardiograph (ECG) is connected to the phone. One theory is that Apple’s servers are slow to download from in China, so developers used this alternative ‘mirror’ (unaware of its true credibility) download for convenience and speed.

Researchers said infected apps included Tencent Holdings Ltd’s (0700.HK) popular mobile chat app WeChat, car-hailing app Didi Kuaidi and a music app from Internet portal NetEase Inc. Apps built with XcodeGhost will secretly send device information back to the hackers as well as initiate phishing attacks for more sensitive user credentials. Chinese anti-censorship activist group Greatfire.org called it “the most widespread and significant spread of malware” in the app store’s history.

The tainted version of Xcode was downloaded from a server in China that developers may have used because it allowed for faster downloads than using Apple’s U.S. servers, Olson said. The Alibaba researchers have dubbed these malicious variants “XcodeGhost.” Apps constructed with XcodeGhost code will collect a bunch of information about a customer’s device once the app has been downloaded. Asked whether it was possible the Chinese government was involved, Palo Alto Networks said it didn’t yet have enough information to determine who was behind the attack.

The data siphoned includes the current time, the name of the device, and the network type—none of which is anything a hacker could really use against you. It is also good practice to change your iCloud and other account passwords, in case you have accidentally fell victim to one of these phishing attempts. Other apps found infected with the malware include those belonging to state-run mobile carrier China Unicom, and 12306, the country’s official train-booking website, researchers said. It wasn’t clear how the infected apps made it past Apple’s screening process, or whether the breach had resulted in any user information being stolen, though researchers said millions of devices could have been exposed based on the popularity of the apps in question. The patient might now come to an appointment with ideas on treatment options — and want to take a more active role in treatment by utilizing the tools in their app.

However, the apps analyzed were reportedly only from the Chinese App Store, so it doesn’t look like customers from other areas of the world need to worry. Also, any developers who obtained their copy of Xcode from an unofficial source could be affected, as there is a chance their products are not totally above board. To write apps for Apple devices, developers have to use a tool kit called Xcode, but downloading the official version from Apple’s website can take a long time in China.

These are apps made by companies specifically for their own employees’ devices, so they don’t have to go through any sort of Apple security check. The apps that did get through didn’t seem to do any really nasty stuff. “If you made it really, obviously bad, probably [Apple] would catch it,” Miller says.

Security researcher Claud Xiao wrote on the firm’s website Friday that criminals and spies could use the malware to gain access to iOS devices. “We believe XcodeGhost is a very harmful and dangerous malware that has bypassed Apple’s code review and made unprecedented attacks on the iOS ecosystem,” he wrote. Even if a user were inclined to actually locate and read the lengthy terms and conditions, there’s no way to determine if the app was created with the involvement of a medical professional.

To the contrary, the fine print on the app’s privacy policy and terms will likely include language warning the end user that the app is “not a substitution for consultations with qualified health care professionals who are familiar with an individual’s medical needs.” Thus, the physician continues to be liable for patients’ care. The Food and Drug Administration has announced that it will only evaluate mobile medical device apps that are complex in nature, such as controlling delivery of insulin to a pump; serving as a de facto medical device like a glucometer; or using patient-specific information to create a diagnosis or recommend treatment. The FDA will not, as a general rule, evaluate apps deemed to pose less risk, such as those that inform or assist patients in managing their disease without providing treatment suggestions, or apps that help patients track or organize health information. While traditional health care providers are bound by the strict requirements for protecting the confidentiality of patient data under HIPAA, mobile medical apps are not.

For example, one policy says: “To ensure that your information is secure, we have in place commercially suitable physical, electronic, and managerial procedures.

Here you can write a commentary on the recording "Apple’s iOS App Store suffers first major attack".

* Required fields
Twitter-news
Our partners
Follow us
Contact us
Our contacts

dima911@gmail.com

ICQ: 423360519

About this site