iPhone Malware Is Hitting China. Let's Not Be Next

Apple's wildly popular iOS has earned the title of the world's most secure consumer operating system. But now that title has an asterisk: China.
CHINAUSITTELECOMAPPLE
A man talks on an Apple iPhone in Beijing on April 2, 2013. Apple chief executive Tim Cook has apologised to Chinese consumers after the US technology giant was subjected to a barrage of criticism in state-run media over alleged "arrogance" and double standards. AFP PHOTO / WANG ZHAO (Photo credit should read WANG ZHAO/AFP/Getty Images)WANG ZHAO/AFP/Getty Images

Apple's iOS has had a good run in terms of security. For more than eight years it's been wildly popular and yet virtually malware-free, long enough to easily earn the title of the world's most secure consumer operating system. Now that title has a new, growing asterisk: China.

Over just the last month, Chinese iPhone and iPad owners have been hit with two distinct iOS mass malware infections. Unlike previous spates of iOS-targeted malware, many of those victims hadn't jailbroken their phones to install unauthorized apps. The two back-to-back attacks—one far more sophisticated than the other but both unprecedented in iOS's history—suggest that complacent iPhone users around the world could be in for the same nasty shock. And if they are, how can they avoid the mistakes that led to China's outbreaks?

"iPhone users have gotten very used to living in a walled garden and very comfortable with their training wheels," says Ryan Olson, the lead researcher for Palo Alto Networks, the security firm that first publicized both of the recent Chinese iOS malware epidemics. "They didn’t have to worry about falling over if they made a mistake. Now people are exploiting those mistakes to actually infect phones."

In at least the most recent of these two attacks, victims did have to make an almost comical series of blunders to have their phone hacked. The malware, which Palo Alto Networks called YiSpecter in its detailed writeup, tricked users into circumventing Apple's tightly controlled App Store to install a porn video player. (In some cases the hackers used local internet service providers in China, which are known to hijack traffic to insert ads on websites, to advertise the sexy video app in pop-up prompts.) If the user fell for that lure, the hackers managed to skirt Apple's App Store and install the app by using a so-called "enterprise certificate," a system that allows companies and agencies to install their own custom programs on employees' phones without Apple's signoff.

The malicious video player, called QVOD, then surreptitiously installed its own collection of hidden apps that exploited certain exposed APIs in the phone's operating system that allowed limited visibility into the activities of other apps on the phone. When those other innocent apps launched, YiSpecter could then insert fullscreen ads over them. In jailbroken phones, it also swapped out Safari's default search engine with the Chinese search engine Baidu, likely to take advantage of the company's affiliate marketing deals. And if a phone owner located and deleted any of the three hidden apps, the other invisible apps were programmed to stubbornly reinstall them.

Despite those tricks, careful users could still easily avoid YiSpecter: Apple has said that only iOS 8.3 and earlier were left open to the attack. Later versions limited access to the APIs it exploited to plant its ads. And even in those earlier, vulnerable versions, users would have to click through a prompt and choose to trust an enterprise certificate from a company they'd never heard of. Making all those missteps in pursuit of porn requires a special kind of cluelessness on the part of the victims. "The sexual appeal seems to have overwhelmed their brains," says Jonathan Zdziarski, an iOS forensics expert and security consultant. "They overlooked the fact that they were skipping over an important security mechanism."

The security lessons of YiSpecter, in other words, are pretty obvious: Don't install strange apps that appear in pop-ups online and aren't found in Apple's App Store. Don't obliviously agree to trust certificates from sketchy "enterprises." Don't jailbreak your iPhone. And keep your software updated. (In fact, iOS 9 requires users who want to install apps with an enterprise certificate to make changes to their settings, adding several more taps to get around Apple's app store.)

But for the malware infection that hit iOS devices three weeks ago, a longterm antidote to isn't so easy. That earlier, far more serious attack, which Palo Alto Networks also brought to light in a series of posts and called XcodeGhost, corrupted at least 39 legitimate apps, including the popular Chinese social media app WeChat and another from Didi Kuaidi, Uber's biggest rival in China. Palo Alto suspects that it may have compromised hundreds of millions of devices in total, likely far more than the YiSpecter malware.

The XcodeGhost malware's authors pulled off their unprecedented hack by distributing a malicious version of the free Apple developer known as Xcode. Due to Chinese developers' slow connections to US servers, many of them turned out to be downloading a version of that developer tool from Baidu's cloud storage platform instead. That unauthorized copy of Xcode was designed to taint the developers' apps with malware, and Apple's App Store reviewers then missed many of those infected apps and let them into the store. The evil twin apps were then capable of phishing usernames and passwords and sending them back to a command and control server—a truly sophisticated and very nasty hack.

Apple didn't respond to WIRED's request for comment on either of the two recent iOS attacks. But it seems to have learned some lessons: It purged the app store of the tainted apps and added servers in China to increase the local availability of its Xcode tool. It's also no doubt more carefully scrutinizing its apps for signs of a similar attack in the future.

And what can iOS users learn from this nasty malware case? That's not so simple, says Zdziarski. "As far as the user, there's not a lot you can do except to be a little discerning about the apps you download," he says. But even that's a tough strategy, he admits, given that developers at reputable companies like WeChat, Didi Kuaidi and China Unicom all fell for the trick. And Zdziarski points out it would be foolish to assume the developer attack is unique to China. As the Intercept reported in March, the CIA was considering using the same Xcode attack against its own targets.

It's developers, not users or even Apple, who will have the most responsibility to prevent the next XcodeGhost-style outbreak, says Apple-focused security analyst Rich Mogull. That will mean taking care to use development tools from reputable sources and checking the cryptographic hash of the applications to make sure they haven't been altered. "Developers have to wake the fuck up and realize they’re a target," Mogull says.

The good news, Mogull says, is that both malware outbreaks found only limited ways to circumvent the iPhone's security measures, not to fundamentally break them in a way that would allow for a more widespread attack. "As interesting as I find this—and I do think we’ll see it again—it’ll never be like the malware days of Windows XP, for instance," Mogull says of the Xcode attack. "There are scalability issues...Apple's decisions have made it very difficult to get sustained, mass exploitation."

Mogull points to the recent million-dollar bounty publicized by the hacking firm Zerodium for an intrusion technique that can compromise a target iPhone via text message or an infected webpage. The size of that reward is actually comforting, Mogull concludes. "The fact that someone’s paying a million for an iPhone exploit," he says, "That makes me feel pretty good."