Brian Jackson - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

As the CIA enters the picture, iOS malware count up to 4,000

The largest incident of iOS malware found in the Apple App Store has grown exponentially, as researchers find more than 4,000 apps infected. And the attackers may have been inspired by CIA techniques.

The first major successful compromise of Apple's iOS App Store is far worse than first reported. The XcodeGhost malware was spread through iOS apps via compromised versions of Apple's development Xcode app, and original reports claimed the number of infected apps was 39. According to a new report, FireEye Labs began scanning the App Store after the initial report was released and has since found over 4,000 compromised apps.

Inspired by the CIA?

The iOS malware, found to be used to collect information and run phishing schemes, may have a connection to the CIA. A report by The Intercept in March 2015 noted that documents leaked by Edward Snowden claim CIA researchers detailed a way to manipulate Xcode in order to inject malware into apps without the developer knowing. Additional reports from March 2014 -- also based on leaked Snowden documents -- claimed the National Security Agency infiltrated Chinese telecom company Huawei Technologies Co. Ltd.

The leaked information wasn't really a blueprint for how to launch the attack, but it could have sparked the idea.
Ryan Olsondirector of threat intelligence for Unit 42 at Palo Alto Networks

According to Ryan Olson, director of threat intelligence for Unit 42 at Palo Alto Networks, based in Santa Clara, Calif., there is no evidence that the CIA was involved in the attacks, but the agency may have influenced the attackers.

"The timing of the release of the Intercept report (March 10, 2015) and the first upload of the malicious Xcode packages (March 23, 2015) suggests that attacker may have been inspired by this news," Olson said. "The leaked information wasn't really a blueprint for how to launch the attack, but it could have sparked the idea."

The CIA has declined to comment on the contents of the original leaked documents, and has not responded to inquiries as to whether this attack vector was reported to Apple.

Apple's response

Apple has said it has been working to remove infected apps, and has detailed ways for developers to make sure they are using uncompromised versions of Xcode. The iOS malware has apparently spread quickly because it was much faster for Chinese developers to download the Xcode app from third-party sources, which were found to be hosting hacked versions of the software.

Phil Schiller, senior vice president of worldwide marketing at Apple Inc., spoke to Chinese reporters recently and admitted this was true. Schiller said the average download of the 3 GB Xcode software package took 25 minutes in the U.S., but could take as long as three hours in China. Apple is reportedly looking into hosting the software locally in China to improve speeds and mitigate the issue.

Apple has not responded to questions on whether it was aware of the alleged CIA techniques for compromising Xcode.

However, Liviu Arsene, senior e-threat researcher for Romania-based antimalware firm Bitdefender, said the issue of stopping developers from downloading hacked versions of the Xcode software could have been caught sooner.

"In light of this event, we can assume that the team that orchestrated this event exploited the issue of poor download speed of the Xcode software in China in order to trick developers into using a tampered version of the Xcode IDE," Arsene said. "Because this type of attack has not been seen before, it's safe to assume that developers will be more mindful of locations from where they download such tools. However, this could have been averted in the first place if caution were exercised prior to this incident."

Next Steps

Learn how faulty software can have astronomical costs

Dig Deeper on Mobile security threats and prevention