Apple’s iOS App Store suffers first major cyber attack.
Apple Inc said on Sunday it is cleaning up its iOS App Store to remove malicious iPhone and iPad programs identified in the first large-scale attack on the popular mobile software outlet. Some of the most popular Chinese names in Apple’s App Store were found to be infected with malicious software in what is being described as a first-of-its-kind security breach, exposing a rare vulnerability in Apple’s mobile platform, according to multiple researchers. The company disclosed the effort after several cyber security firms reported finding a malicious program dubbed XcodeGhost that was embedded in hundreds of legitimate apps.
The applications were infected after software developers were lured into using an unauthorised and compromised version of Apple’s developer tool kit, according to researchers at Alibaba Mobile Security, a mobile antivirus division of Alibaba Group Holding Ltd. It even brought onstage a doctor associated with a new app that lets clinicians view patients’ appointment schedules and see vital signs, such as heart rates, via the Apple Watch.
Prior to this attack, a total of just five malicious apps had ever been found in the App Store, according to cyber security firm Palo Alto Networks Inc. A search of the term “mobile health” in the Apple App Store produces 22,755 programs that purport to do everything from consolidating personal health records to triaging symptoms. In separate statements posted to social media over the weekend, Tencent, Didi Kuaidi Joint Co. and NetEase said their applications had been compromised but said no sensitive customer information had been lost. “At present, we haven’t discovered any loss of user information or assets as a result of this [breach], though the WeChat team will continue to monitor and do tests,” Tencent said in a message posted to the Sina Weibo microblogging service late Friday. One app can even turn a smartphone into a medical device designed to diagnose patients with sleep apnea when a single-lead electrocardiograph (ECG) is connected to the phone.
Researchers said infected apps included Tencent Holdings Ltd’s popular mobile chat app WeChat, car-hailing app Didi Kuaidi and a music app from Internet portal NetEase Inc. The tainted version of Xcode was downloaded from a server in China that developers may have used because it allowed for faster downloads than using Apple’s U.S. servers, Olson said.
The Alibaba researchers have dubbed these malicious variants “XcodeGhost.” Apps constructed with XcodeGhost code will collect a bunch of information about a customer’s device once the app has been downloaded. The data siphoned includes the current time, the name of the device, and the network type—none of which is anything a hacker could really use against you.
Other apps found infected with the malware include those belonging to state-run mobile carrier China Unicom, and 12306, the country’s official train-booking website, researchers said. It wasn’t clear how the infected apps made it past Apple’s screening process, or whether the breach had resulted in any user information being stolen, though researchers said millions of devices could have been exposed based on the popularity of the apps in question. The patient might now come to an appointment with ideas on treatment options — and want to take a more active role in treatment by utilizing the tools in their app.
However, the apps analyzed were reportedly only from the Chinese App Store, so it doesn’t look like customers from other areas of the world need to worry. Also, any developers who obtained their copy of Xcode from an unofficial source could be affected, as there is a chance their products are not totally above board. To write apps for Apple devices, developers have to use a tool kit called Xcode, but downloading the official version from Apple’s website can take a long time in China.
These are apps made by companies specifically for their own employees’ devices, so they don’t have to go through any sort of Apple security check. The apps that did get through didn’t seem to do any really nasty stuff. “If you made it really, obviously bad, probably [Apple] would catch it,” Miller says. Security researcher Claud Xiao wrote on the firm’s website Friday that criminals and spies could use the malware to gain access to iOS devices. “We believe XcodeGhost is a very harmful and dangerous malware that has bypassed Apple’s code review and made unprecedented attacks on the iOS ecosystem,” he wrote.
Even if a user were inclined to actually locate and read the lengthy terms and conditions, there’s no way to determine if the app was created with the involvement of a medical professional. To the contrary, the fine print on the app’s privacy policy and terms will likely include language warning the end user that the app is “not a substitution for consultations with qualified health care professionals who are familiar with an individual’s medical needs.” Thus, the physician continues to be liable for patients’ care. The Food and Drug Administration has announced that it will only evaluate mobile medical device apps that are complex in nature, such as controlling delivery of insulin to a pump; serving as a de facto medical device like a glucometer; or using patient-specific information to create a diagnosis or recommend treatment. The FDA will not, as a general rule, evaluate apps deemed to pose less risk, such as those that inform or assist patients in managing their disease without providing treatment suggestions, or apps that help patients track or organize health information. While traditional health care providers are bound by the strict requirements for protecting the confidentiality of patient data under HIPAA, mobile medical apps are not.
For example, one policy says: “To ensure that your information is secure, we have in place commercially suitable physical, electronic, and managerial procedures.