Last week Palo Alto Networks reported on a diabolically clever method of introducing malware to the iOS App Store: Uploading a hacked version of Xcode to servers, one that contains a modified file that is automatically inserted into app packages.
XcodeGhost implemented malicious code in its own CoreServices object file, and copies this file to a specific position that is one of Xcode’s default framework search paths. Hence, the code in the malicious CoreServices file will be added into any iOS app compiled with the infected Xcode without the developers’ knowledge.
Why download a version of Xcode from someone other than Apple? It turns out that in China, downloading large files from Apple’s servers can take a very long time, so often installers such as Xcode are passed around from person to person or placed on local file-sharing services for (unauthorized) redistribution.
In total, at least 39 apps were infected, including popular apps such as Wechat. Apple says the apps have been removed.