Apple cleans up App Store post XcodeGhost malware breach

The recent breach of Apple App Store by XcodeGhost malware shook the technology industry. This is the sixth malware that has made its way into the official App store after LBTM, InstaStock, FindAndCall, Jekyll and FakeTor, according to Palo Alto Networks.

According to security firm, the scale of the attack is like nothing Apple has experienced before.

"We believe XcodeGhost is a very harmful and dangerous malware that has bypassed Apple's code review and made unprecedented attacks on the iOS ecosystem," the firm said.

The tech giant immediately attended the problem and has recently announced that that the apps created with the counterfeit software have been removed from the App Store. Moreover, it is also blocking submissions of new apps that contain the malware from entering the App Store.

“We’re working closely with developers to get impacted apps back on the App Store as quickly as possible for customers to enjoy”, said Apple. “A list of the top 25 most popular apps impacted will be listed soon so users can easily verify if they have downloaded the latest versions of these apps. After the top 25 impacted apps, the number of impacted users drops significantly.”

Apple incorporates technologies like Gatekeeper in order to prevent non-App Store and/or unsigned versions of programs, including Xcode, from being installed. The company cautions the app developers saying that they should always download Xcode directly from the Mac App Store, or from the Apple Developer website, and leave Gatekeeper enabled on all their systems to protect against tampered software.

As part of its efforts to tackle the malware problem, Apple issued commands that can be used by app developers to verify the identity of the Xcode copy. These commands need to be run in Terminal on a system with Gatekeeper enabled:

“spctl --assess --verbose /Applications/Xcode.app

where /Applications/ is the directory where Xcode is installed. This tool performs the same checks that Gatekeeper uses to validate the code signatures of applications. The tool can take up to several minutes to complete the assessment for Xcode.

The tool should return the following result for a version of Xcode downloaded from the Mac App Store:
/Applications/Xcode.app: accepted
source=Mac App Store

and for a version downloaded from the Apple Developer web site, the result should read either
/Applications/Xcode.app: accepted
source=Apple

or

/Applications/Xcode.app: accepted
source=Apple System

Any result other than ‘accepted’ or any source other than ‘Mac App Store’, ‘Apple System’ or ‘Apple’ indicates that the application signature is not valid for Xcode.”