Was XcodeGhost a CIA hit?

“Last week, Chinese app developers disclosed that an Apple programming tool had been hijacked to trick developers into embedding malicious software into apps for Apple devices,” Micah Lee reports for The Intercept. “The malware, called XcodeGhost, works by corrupting Apple’s Xcode software, which runs on Mac computers and compiles source code into apps that can run on iPhones, iPads, and other devices, before submitting them to the App Store. If a developer has XcodeGhost installed on their computer, apps that they compile include malware without the developer realizing it.”

“Although XcodeGhost is the first malware to spread this way in the wild, the techniques it uses were previously developed and demonstrated by Central Intelligence Agency researchers at the CIA’s annual top-secret Jamboree conference in 2012,” Lee reports. “Using documents from NSA whistleblower Edward Snowden, The Intercept‘s Jeremy Scahill and Josh Begley described the CIA’s Xcode project in a story published in March.”

Lee reports, “Today, Apple has published instructions for developers to verify that the version of Xcode they have installed is the official one.”

Read more in the full article here.

MacDailyNews Take: The U.S. and other governments hate Apple’s outspoken commitment to protect their users’ privacy.

…Government of the people, by the people, for the people, shall not perish from the Earth. — Abraham Lincoln

Looks like Lincoln was wrong.

Apple lists top 25 apps afflicted by XcodeGhost – September 24, 2015
XCodeGhost iOS infection toll balloons from 39 to over 4,000 apps – September 23, 2015
Apple to offer domestic downloads of Xcode for developers in China – September 23, 2015
Apple targeted as malware generated by bogus Xcode infects China mobile apps – September 21, 2015
New Android malware strains to top 2 million by end of 2015 – July 1, 2015
Symantec: 1 in 5 Android apps is malware – April 25, 2015
Kaspersky Lab Director: Over 98% of mobile malware targets Android because it’s much, much easier to exploit than iOS – January 15, 2015
Security experts: Malware spreading to millions on Android phones – November 21, 2014
There’s practically no iOS malware, thanks to Apple’s smart control over app distribution – June 13, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013

[Thanks to MacDailyNews Reader “CognativeDisonance” for the heads up.]


      1. I meant that MDN took it out of context. The words are correct, but Lincoln was saying that is the goal, not that it had or would be achieved, as the MDN take would suggest.

  1. Quote from full article: “Using documents from NSA whistleblower Edward Snowden, The Intercept‘s Jeremy Scahill and Josh Begley described the CIA’s Xcode project in a story published in March.”

    Thus XcodeGhost may be anyone’s hack (not just the CIA/NSA) based upon information gleaned from the documents Snowden released to the public. ‘Here is Xcode, here’s how to hack it and here’s how to get into the hands of a bunch of programmers too impatient to do their due diligence.’

  2. If the technique was public knowledge, who’s to say the Chinese – any other government or independent organization didn’t use the same?

    It is nonsense to point at the NSA/CIA, especially now. But that should also not put them in the clear.

  3. Sad, but to be expected. The Constitution is the shield but we really need to be able to bitch slap the crap out of our bat shit crazy government when necessary. Who knows if the alphabet soup had a hand in it or not? The problem is if they did, no one would be surprised, and if they were found out, no one would be punished. They are too powerful. The focus of almost all government domestic policies are about restricting us and legislating away our freedoms.

  4. I don’t think it was the CIA, but I think those released documents may have gave someone the idea to do it. I read about the snowden documents around March or so and in May or so is when the Apple issue started happening according to an antivirus malware company chart.

  5. Can anyone point out the link to the article, the MDN link doesn’t work, at least for me.

    Oh the MDN take is a bit long and superfluous “The U.S. and some other governments hate”

    The Lincoln quote still applies for those from the free and civilized world.

  6. Not-quite paranoia. Fascinating.

    A Chinese developer has ‘apologized’ via GitHub for creating XcodeGhost source code as an experiment. Whether this is subterfuge or not, we shall see.

    Cult of Mac has a reasonable (now out-of-date) summary of the XcodeGhost story:

    FAQ: Everything you need to know about the XcodeGhost App Store hack

    A translation of the ‘apology’:

    First of all, I apologize for the confusion XcodeGhost has brought. XcodeGhost is from my own experiments, without any threatening behavior, as detailed in the source code.

    The so-called XcodeGhost is actually hard to for unsuspecting iOS developers to find. A modified Xcode compiler configuration text file code can be loaded, so I wrote the code above to try and upload it to their network disk.

    All data in the code actually acquires basic app information: application name, application version number, system version number, language, country name, developer, app installation time, device name, and device type. In addition, it does not gather any other data. I must confess that for selfish reasons, I used the advertising features in the code to promote these applications (you can confirm this in the source code). But in fact, from the beginning to the final shut down the server, I have not used the advertising function. And 10 days ago, I have taken the program off the server and removed all data, but that will not have any effect on anyone.

    In order to put an end to the rumors, the so-called “XcodeGhost” was an ill-advised experiment, and it is now dead.

    I wish to emphasize that XcodeGhost-infected apps will not affect any users and does not obtain private data, only a useless piece of code.

    Again, I sincerely apologize and wish you a pleasant weekend.

  7. Apple needs to do a checksum on XCode before it compiles, or it needs to do the compilation in the cloud with proper cryptological protections to keep the source out of the hands of anyone but the programmer.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.