{
	"id": "3113a4c9-b804-4847-9e63-2b3609ccc5d2",
	"created_at": "2026-04-06T01:30:02.829763Z",
	"updated_at": "2026-04-10T13:13:04.343815Z",
	"deleted_at": null,
	"sha1_hash": "1e9ab55ac020a1bfba326f8121797abe1b4d5f74",
	"title": "Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1254869,
	"plain_text": "Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and\r\nHits App Store\r\nBy Claud Xiao\r\nPublished: 2015-09-17 · Archived: 2026-04-06 01:06:58 UTC\r\nUPDATE: Since this report's original posting on September 17, three additional XCodeGhost updates have been published,\r\navailable here, here and here. \r\nOn Wednesday, Chinese iOS developers disclosed a new OS X and iOS malware on Sina Weibo. Alibaba researchers then\r\nposted an analysis report on the malware, giving it the name XcodeGhost. We have investigated the malware to identify how\r\nit spreads, the techniques it uses and its impact.\r\nXcodeGhost is the first compiler malware in OS X. Its malicious code is located in a Mach-O object file that was\r\nrepackaged into some versions of Xcode installers. These malicious installers were then uploaded to Baidu’s cloud file\r\nsharing service for used by Chinese iOS/OS X developers. Xcode is Apple’s official tool for developing iOS or OS X apps\r\nand it is clear that some Chinese developers have downloaded these Trojanized packages.\r\n(UPDATE: Following notification by Palo Alto Networks of malicious files hosted on their file sharing services, Baidu has\r\nremoved all of the files.) \r\nXcodeGhost exploits Xcode’s default search paths for system frameworks, and has successfully infected multiple iOS apps\r\ncreated by infected developers. At least two iOS apps were submitted to App Store, successfully passed Apple’s code review,\r\nand were published for public download.\r\nThis is the sixth malware that has made it through to the official App Store after LBTM, InstaStock, FindAndCall, Jekyll and\r\nFakeTor.\r\nXcodeGhost’s primary behavior in infected iOS apps is to collect information on the devices and upload that data to\r\ncommand and control (C2) servers. The malware has exposed a very interesting attack vector, targeting the compilers used\r\nto create legitimate Apps. This technique could also be adopted to attack enterprise iOS apps or OS X apps in much more\r\ndangerous ways.\r\nDistributing the Malicious Xcode Build\r\nIn China (and in other places around the world), sometimes network speeds are very slow when downloading large files\r\nfrom Apple’s servers. As the standard Xcode installer is nearly 3GB, some Chinese developers choose to download the\r\npackage from other sources or get copies from colleagues.\r\nBy searching for “Xcode 下载” (Xcode downloading)  in Google, in the first page of the search results (Figure 1), we found\r\nthat six months ago someone posted Xcode download links to multiple forums or websites (including Douban, SwiftMi,\r\nCocoaChina, OSChina, etc.) that Chinese iOS developers frequently visit.\r\nFigure 1. Google search results for \"Xcode downloading\" in Chinese\r\nhttp://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/\r\nPage 1 of 5\n\nThese posts provided links to download all versions of Xcode from 6.0 to 7.0 (including beta versions). All of the links\r\ndirect to Baidu Yunpan, a cloud based file storage and sharing service.\r\nFigure 2. Malicious Xcode shared in Baidu Yunpan\r\nWe downloaded these Xcode installers and found that all versions of Xcode between 6.1 to 6.4 were infected. When\r\nattempting to verify the installers’ code signing signature, it’s clear that some extra files were added into the Xcode (Figure\r\n3).\r\nFigure 3. Code signing verification shows some extra files in Xcode\r\nThose additional files are listed below.\r\nXcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/Library/Frameworks/CoreServices.framework/CoreSe\r\nXcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/Library/PrivateFrameworks/IDEBundleInjection.fram\r\nXcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/Library/Frameworks/CoreServices.framework/C\r\nXcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/Library/PrivateFrameworks/IDEBundleInjection\r\nXcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/Library/Frameworks/CoreServices.framework/CoreSer\r\nXcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/Library/PrivateFrameworks/IDEBundleInjection.frame\r\nhttp://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/\r\nPage 2 of 5\n\nHow the Attack Works\r\nThe primary malicious component in the XcodeGhost infected version is “CoreServices”. What is different from all previous\r\nOS X and iOS malware instances is that this file is neither a Mach-O executable, nor a Mach-O dynamic library, but is a\r\nMach-O object file that is used by LLVM linker and can’t directly execute in any way. This abnormal file format will cause\r\ncrashes or errors when analyzing it by format parsers like MachOView, 010 Editor (with Mach-O template) or jtool.\r\nIn iOS, the CoreServices contain many of the fundamental system services, and almost all complex iOS apps reply on it.\r\nWhen such an iOS app is compiled, Xcode will search for the CoreServices framework in some pre-defined paths to link\r\nwith developer’s code.\r\nXcodeGhost implemented malicious code in its own CoreServices object file, and copies this file to a specific position that\r\nis one of Xcode’s default framework search paths. Hence, the code in the malicious CoreServices file will be added into any\r\niOS app compiled with the infected Xcode without the developers’ knowledge.\r\nThe malicious CoreServices file primarily implements extra code in UIWindow class and UIDevice class. The UIWindow\r\nclass “manages and coordinates the views an app displays on a device screen”. Almost every iOS app has a UIWindow\r\ninstance when it’s running.\r\nWhen an infected app is executed, either in an iOS Simulator or on iOS devices, malicious code will collect some system\r\nand app information using its UIDevice AppleIncReserved method. The collected information includes:\r\nCurrent time\r\nCurrent infected app’s name\r\nThe app’s bundle identifier\r\nCurrent device’s name and type\r\nCurrent system’s language and country\r\nCurrent device’s UUID\r\nNetwork type\r\nFigure 4. Collecting system and app information\r\nThen, XcodeGhost will encrypt the information, and upload it to a C2 server through the HTTP protocol. From different\r\nversions of XcodeGhost, we found three C2 domain names:\r\nhttp://init.crash-analytics[.]com\r\nhttp://init.icloud-diagnostics[.]com\r\nhttp://init.icloud-analysis[.]com\r\nhttp://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/\r\nPage 3 of 5\n\nFigure 5. Uploading stolen information to C2 server\r\nNote that, the domain name “icloud-analysis.com” was also used by a sample in the iOS trojan KeyRaider we recently\r\nfound.\r\nMalware In the App Store\r\nAccording to JoeyBlue in Sina Weibo, at least two famous apps were infected by XcodeGhost and successfully landed in the\r\nApp Store. We have confirmed both.\r\nWe downloaded the NetEase Cloud Music App (com.netease.cloudmusic) from Apples App Store (China region). In its\r\nlatest version (2.8.3), Info.plist shows that it was built with Xcode 6.4 (6E35b). In the main executable file, the malicious\r\nXcodeGhost code is present (Figure 7 and Figure 8).\r\nFigure 6. Infected NetEase App in the Apple App Store\r\nFigure 7. XcodeGhost Present in the Infected NetEase App\r\nhttp://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/\r\nPage 4 of 5\n\nFigure 8. Decompiled XcodeGhost Functions in the NetEase App\r\nSecurity Risks\r\nCompiler malware is not a new idea. Starting with the first proof-of-concept written by Ken Thompson 31 years ago, real\r\ncompiler malware has been discovered in many platforms. Compared with other iOS malware, XcodeGhost’s behaviors are\r\nnot especially significant or harmful. This is why the code can pass App Store code review.\r\nHowever, XcodeGhost disclosed a very easy way to Trojanize apps built with Xcode. In fact, attackers do not need to trick\r\ndevelopers into downloading untrusted Xcode packages, but can write an OS X malware that directly drops a malicious\r\nobject file in the Xcode directory without any special permission.\r\nAdditionally, although Apple’s code review for App Store submissions is very strict, some applications are never reviewed\r\nby Apple.If the iOS app is used by an enterprise internally, for example, it will be distributed in-house and won’t go through\r\nthe App Store.In the same example, an OS X app can also be infected, and lots of OS X apps are directly distributed via the\r\nInternet other than App Stores.\r\nIn these situations, Xcode compiler malware can be much more aggressive and risky.\r\nIt’s difficult for iOS users or developers to be aware of this malware (or similar attacks) because it is deeply hidden,\r\nbypassing App Store code review. Because of these characteristics, Apple developers should always use Xcode directly\r\ndownloaded from Apple, and regularly check their installed Xcode’s code signing integrity to prevent Xcode from being\r\nmodified by other OS X malware.\r\nAppendix\r\nXcodeGhost file hashes\r\n89c912d47165a3167611cebf74249f981a4490d9cdb842eccc6771ee4a97e07c  CoreServices\r\nb1f567afbf02b6993a1ee96bfdb9c54010a1ad732ab53e5149dda278dd06c979  CoreServices\r\nf5a63c059e91f091d3f1e5d953d95d2f287ab6894552153f1cf8714a5a5bed2d  CoreServices\r\n2fde065892a8f1c9f498e6d21f421dbc653888f4102f91fc0fa314689d25c055  Xcode_6.2.dmg\r\nc741af30aef915baa605856a5f662668fba1ae94a8f52faf957b8a52c8b23614  Xcode_6.4.dmg\r\nSource: http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/\r\nhttp://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/"
	],
	"report_names": [
		"novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store"
	],
	"threat_actors": [
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439002,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e9ab55ac020a1bfba326f8121797abe1b4d5f74.pdf",
		"text": "https://archive.orkl.eu/1e9ab55ac020a1bfba326f8121797abe1b4d5f74.txt",
		"img": "https://archive.orkl.eu/1e9ab55ac020a1bfba326f8121797abe1b4d5f74.jpg"
	}
}