The first compiler malware in iOS was disclosed by Chinese iOS developers on Wednesday(Beijing time). The name of this malware is XcodeGhost as described by Alibaba researchers who released the analysis of this malware.
The malicious code is located in a Mach-O object file that was repackaged into some versions of Xcode installers. These malicious installers were then uploaded to Baidu’s cloud file sharing service for used by Chinese iOS/OS X developers. Xcode is Apple’s official tool for developing iOS or OS X apps and it is clear that some Chinese developers have downloaded these Trojanized packages.
One way to check whether your Xcode is infected by the XcodeGhost is to check whether file Library/Frameworks/CoreServices.framework/CoreService exists in the Xcode SDK /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/. Normally there is no directory named Library in Xcode SDK.
It is known there are many popular iOS apps are affected by this XcodeGhost malware. These include NetEase Cloud Music, WeChat, 6.2.5, DiDi, Bank of China. The full list of known affected apps can be found here.
After more and more details are disclosed either by researchers or app developers, the "author" of XcodeGhost finally comes out and shares the story behind XcodeGhost and the source code.
In his public statement, he claimed XcodeGhost is a wrong experiment which he did to prove his unexpected finding about Xcode. The finding is that Xcode allows to modify configuration file to load specific source code file, so he wrote the "XcodeGhost" to try that.
He also emphasized that XcodeGhost will only gather information including app name, app version, os version, language, country, developer info, app installation time, device name and device type. No other information is collected. But the author does admit that he put some code to promote his own app but he never enabled this capability. And he shut down the server and removed all data about 10 days ago.
So from his statement, he doesn't mean to harm any app or any user. All apps compiled with this Xcode will run without any problem. It is still to be verified whether this is true.
UPDATE : You can now download the tool to detect what apps are affected by XcodeGhost malware at http://x.pangu.io/. It is available for iOS 8 and iOS 9.
