You think that’s all Let’s tell you the complete XCodeGhost event


these days are almost XCodeGhost event safety ring scraper, we are very concerned, the security team are awesome, have analyzed from different perspectives, modes of transmission, virus behavior influence area even to the human author information. Read all the online public or semi public report, we believe that this is not all, so we add to complete the XCodeGhost event.

due to hasty text, it is inevitable that there are many errors and omissions, but also peer criticism.

event traceability

goes back a week ago.

APP in September 12th, we have to start, exit through the network to a domain name to send encrypted traffic anomalies found in the follow up of a bug, very suspicious behavior, so the terminal security team to follow up immediately, after a weekend overtime analysis and tracking, we restore the basic mode of infection, virus behavior, influence face.

September 13th, the team released a new version of the product. At the same time taking into account the events affecting a wide range, we immediately notify CNCERT CNCERT immediately to take relevant measures. So from this point in time, most of the follow-up security risks have been controlled – you can look at this time before and after the illegal domain name in the country’s analysis.

September 14th, CNCERT issued an early warning notice of this event. We also updated the mobile APP security detection system "King kong".


Figure 1 CNCERT issued an early warning notice

in September 16th, we found that the AppStore application on the TOP5000 has 76 infected, so we have to Apple’s official and most affected manufacturers sync this situation.

September 17th, a keen sense of foreign security company PaloAlto found this problem, and released the first version of the analysis report, Ali mobile security also released an analysis report.

the next thing we all know, the rapid warming of the XCodeGhost incident, the industry has become a hot spot, more security teams and experts conducted in-depth analysis, broke out more information.

missing sample behavior analysis

1, in the infected APP startup, background, recovery, the end of the reporting information to hackers control server

reported information include: APP version, APP name, local language, iOS version, device type, country code and other equipment information, can accurately distinguish each iOS device.

reported that the domain name is, and we also found the attacker’s other three unused domain name >