What is it?

XCode Ghost is a class of malware associated with iOS devices running applications generated with a compromised version of XCode (the compiler tools for iOS and MacOS). XCode Ghost was originally detected in late September, 2015.

What does it do?

The most dangerous thing XCode Ghost infected applications can do is present fake pop-ups with the intention of stealing credentials from the user. It can also read and write data from the clipboard, and hijack URLs to send the user some place other than what they're expecting. Any stolen credentials or clipboard data can be sent back to third-party servers.

How would I get it?

By installing an application infected with the malware. Infected applications were distributed for a time through the Apple Store - although they have since been removed.

How can I protect myself from it?

Use only apps installed from the Apple Store. While the infected applications originally were distributed from the Apple Store, they have since been cleaned out. Also, if you are a developer, only use versions of XCode downloaded from official Apple servers.

So what do I do now?

Uninstall any infected applications. The most common one observed at the University of Waterloo is WeChat, although Palo Alto researchers published a list of 38 other applications.

Why did you take so long to let me know? Why let me know now?

The IST Security Operations Centre initially considered this a low priority, as Apple fairly quickly remediated the original issue. However, in the interim, we have observed dozens of possibly-compromised devices.  We are changing our strategy and will now be directly notifying users of devices we suspect to be compromised.

Questions/concerns? Contact soc@uwaterloo.ca.