Who is behind the biggest iOS malware attack -- XcodeGhost

Oct 11 2015

We estimate that more than 95% of China iPhone users, over 100 million, have been infected by XcodeGhost malware.

The XcodeGhost incident caused an uproar during last few weeks; more than 4,000 iOS apps have been found to be infected with XcodeGhost. This includes highly popular apps such as the message app WeChat, ride-hailing app Didi Kuaidi (Uber alike), and music sharing app NetEase Music.

The infected apps successfully passed Apple’s rigorous tests. Hundreds of millions of iPhone users, because they installed or updated the infected apps from Apple’s official app store, were infected.

Sensitive information of these users was collected and sent to the remote servers that are operated by the team behind XcodeGhost. Based the analysis from security teams including Palo Alto, Antiy, PanGu, ThreatBook, Baidu, and Alibaba, it has been revealed that XcodeGhost has capabilities to allow a remote attack to do a number of malicious things, including:

• Pop up a window with arbitrary content including spoofing message

• Invoke other apps

• Make a phone call

• Send an SMS

• Send email

• Get clipboard content

• Display a webpage

• Distributing other apps, through popup window

XcodeGhost is the biggest iOS malware attack against iPhone users. But who is behind it? An online apology posted by @XcodeGhost-Author claims it was a developer’s mistake. But should we believe that?

We’re researchers at ThreatBook Labs, a threat intelligence company based in China. By exploring the resources used by the XcodeGhost team, we have uncovered the identities of the perpetrators. And by fusing technical analysis with the XcodeGhost team’s social behavior, we have revealed the malware’s true intentions. In this blog, we are going to lead you go through our investigation and show you how we uncovered who is behind XcodeGhost.

First, let’s start with the apology letter (See Figure 1). On 19 September 2015, two days after the XcodeGhost attack was made public, someone claiming to be the author of XcodeGhost tweeted under the name @XcodeGhost-Author. He apologized for the panic and unrest caused by this incident, but maintained that XcodeGhost is just a coding experiment to explore the potential exploitation of a loophole in Xcode to enable advertisement delivery. The information collected through the affected apps, such as app name, app version, system OS version, localization, developer identifier, device name, and network type, did not include any privacy information. He also claimed that the advertisement delivery capability has never been utilized, the apps' original functions were not affected in any way, the server collecting information has been taken offline, and all collected data had been deleted.

Figure 1: @XcodeGhost-Author’s apology letter

While @XcodeGhost-Author’s tweet appears to be sincere, our analysis indicates otherwise. In XcodeGhost, there are three remote servers identified as command and control servers operated by XcodeGhost team:

• Init.crash-analytics.com

• Init.icloud-analysis.com

• Init.icloud-diagnostics.com

These servers were all registered by an anonymous user. We explored historical IP data, and we found that crash-analytics.com once resolved as, and that icloud-analysis.com once resolved as On these two IP addresses, we identified another three hosted domains:

• Allsdk.org

• Kytr.pub

• 2shoubang.com


These three domains were registered by the same identity: 778****@qq.com. This same identity registered other domains: iossdk.org, sdkdev.net, iostool.com, and xyzhhushou.info. By correlating with other data sources, the identities behind XcodeGhost start to surface:

Name: Wang ****
QQ number: 778***@qq.com, 473***@qq.com
Cell Phone contact: 132****520
Home Phone contact: 0532-6657****
Internet ID used: Zhou ****, Wang ****, ****Wang
(7778***@qq.com has been registered under a university student at ShanDong Province)

After identifying these identities as possible people behind the XcodeGhost team, we studied their social behavior by tracing the Internet forum posts by Wang***, Zhou ***.

On 25 February 2015, about seven months ago before the XcodeGhost attack was exposed to the public, XcodeGhost registered icloud-analysis.com domain, which is used as one of the XcodeGhost C2C servers.

On 16 March 2015, 6 days after the intercept disclosed CIA’s effort on breaking iPhone’s security through infecting Xcode, the XcodeGhost team posted the first poisoned Xcode IDE package downloading links in Unity3D discussion forum (http://game.ceeger.com/forum/). The download links are hosted in Baidu Cloud.

On 17 March 2015, the XcodeGhost team registered icloud-diagnostics.com domain, which is also used as one of the XcodeGhost C2C servers. During August and September 2015, XcodeGhost team registered more than 20 other domains, including icloud-analytics.com, daimaku.net. iOStool.com, iOScode.org, sdkdev.net, sdkdev.org, tiao2shou.com, 592qiche.com, and allsdk.org.

On 22 September 2015, five days after the XcodeGhost attack was exposed, the XcodeGhost team deletes their previous posts related with promoting infected Xcode IDE downloading in Unity3D discussion forum (http://game.ceeger.com/forum/).

We know that the XcodeGhost team started to plan XcodeGhost deployment at least seven months ago. They took advantage of network bandwidth limitations for Apple App developers in China to deploy their toolkit. They planned, developed, and distributed XcodeGhost. Then, once the XcodeGhost attack was exposed, the XcodeGhost team seemed to panic, and they tried to mitigate XcodeGhost’s impact by posting an apology letter saying an attack was not intended. However, such an explanation is insufficient to explain the advanced functionalities in XcodeChost, and the seven months of the XcodeGhost team’s activities for its deployment and promotion.

As a threat intelligence company, ThreatBook’s mission goes beyond the identification and elimination of infection on the end user’s device. We want to expose the true identities of malware creators in the hopes to effectively stop the problem at the source. We hope the information about the identities we uncovered will stop the XcodeGhost team from running other attacks.

More details about ThreatBook’s investigation into the XcodeGhost threat, as well as Indicators of Compromise (IOCs) can be found at https://x.threatbook.cn/tag/XcodeGhost