{ "id": "67c1482d-5614-43f4-9dd8-d80a9a1689a8", "created_at": "2026-04-06T03:35:32.526879Z", "updated_at": "2026-04-10T03:30:32.833621Z", "deleted_at": null, "sha1_hash": "6c9d98012baf8328cf319d7547df2ce03378ab9b", "title": "Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 449642, "plain_text": "Update: XcodeGhost Attacker Can Phish Passwords and Open\r\nURLs through Infected Apps\r\nBy Claud Xiao\r\nPublished: 2015-09-18 · Archived: 2026-04-06 03:32:32 UTC\r\nOn Thursday we posted the initial analysis report on XcodeGhost malware and then found it had infected 39 iOS\r\napps, potentially impacting hundreds of millions of users. XcodeGhost embedded malicious code into those\r\ninfected iOS apps. In the first report, we noted that the malicious code uploads device information and app\r\ninformation to its command and control (C2) server. But that isn’t all it does.\r\nToday, inspired by a post by “@Saic” on Sina Weibo, we analyzed the malicious code in more detail and found\r\nadditional capabilities in the malware.  In summary, the malicious code that XcodeGhost embedded into infected\r\niOS apps is capable of receiving commands from the attacker through the C2 server to perform the following\r\nactions:\r\nPrompt a fake alert dialog to phish user credentials;\r\nHijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities\r\nin the iOS system or other iOS apps;\r\nRead and write data in the user’s clipboard, which could be used to read the user’s password if that\r\npassword is copied from a password management tool.\r\n(UPDATE September 21: In the current version of the code, XcodeGhost cannot be directly used to phish iCloud\r\npasswords. However, by changing a few simple lines of code, it can do that.)\r\nBased on this information, we believe XcodeGhost is a very harmful and dangerous malware that has bypassed\r\nApple’s code review and made unprecedented attacks on the iOS ecosystem. The techniques used in this attack\r\ncould be adopted by criminal and espionage focused groups to gain access to iOS devices.\r\nTechnical Details\r\nXcodeGhost added code to some system APIs that are used by the infected apps. After the malware sends device\r\nand app information to it’s C2 servers, XcodeGhost will decrypt the content returned by the server and parse it as\r\na piece of JSON formatted data.\r\nhttp://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/\r\nPage 1 of 4\n\nFigure 1. XcodeGhost decrypts response JSON data\r\nIn the JSON data, XcodeGhost will look for these keys:\r\nalertHeader\r\nalertBody\r\nappID\r\ncancelTitle\r\nconfirmTitle\r\nThe malware uses the specified title and body texts to create a fake alert dialogue box.. Using this technique,\r\nXcodeGhost can be used to “phish” information from the user, or trick them into inputting sensitive data. For\r\nexample, it can create a dialog that asks the victim to input their password. Since the dialog is a prompt from the\r\nrunning application, the victim may trust it and input a password without suspecting foul play.\r\nFigure 2. XcodeGhost prompts a alert dialog with specific title and message text\r\nIf the returned JSON data from the server contains the key “url”, XcodeGhost will open the URL specified.\r\nFigure 3. XcodeGhost opens remotely specified URL\r\nNote that the specified URL doesn’t have to be only HTTP or FTP URLs but also the URLs used by iOS system\r\nwith any scheme that local system can handle. (i.e. itunes:// or twitter://) The URL scheme is one of the main\r\nInter-App Communication mechanisms in iOS system. Any iOS apps, include system apps, can define any scheme\r\nit can handle. Multiple previous vulnerabilities in iOS and various iOS apps have been caused by scheme handling\r\nflaws that can be exploited by opening specific URLs. These vulnerabilities must be exploited locally by a\r\nhttp://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/\r\nPage 2 of 4\n\nmalicious app, which led many people to not treat them as serious as iOS malware is uncommon. XcodeGhost has\r\nbroken this assumption by infecting many popular iOS apps that are widely used.\r\nFinally, XcodeGhost will also use the clipboard functionality provided by iOS to temporarily store some data it\r\nneeds. In fact, every time an infected app is launched, XcodeGhost will retrieve persistently stored data from the\r\nclipboard with a paste board named by app’s bundle ID and a fixed string “UIPasteBoard”, then store new data\r\ninside it. Although this behavior is not harmful to users, a slightly code change would allow the same technique to\r\nsteal passwords from password management apps such as 1Password.\r\nWhen people use apps like 1Password to manage their passwords in iOS, they often open 1Password, copy the\r\nstored password to system clipboard, then open the app they want to use and paste the password to the login\r\nwindow. At this moment, a malicious app can directly read the password from system clipboard. 1Password’s\r\nmain security design for this situation is that, the password stored in the clipboard will only stay there for a very\r\nshort time. However, since the malware can read it when the app launches, the attack can be successful.\r\nAttack in the Wild\r\nEarlier today on a popular Chinese forum V2EX, a user “realpg” mentioned his experience when developing iOS\r\napps using the malicious Xcode package. His write-up disclosed that XcodeGhost’s attacker has used the malware\r\nto phish victims’ iCloud passwords.\r\nIn the discussion, “realpg” said that when they were developing a very simple iOS app that had no Internet\r\nfunctionality and didn’t use any iCloud APIs, the app would frequently display a dialog to ask the developer to\r\ninput his iCloud password. They tested the app in their special testing iPhone without jailbreak.  Then they tried to\r\ncapture the network traffic and found the exactly the same C2 domain name used by XcodeGhost infected apps.\r\nBased on “realpg”’s account of the events, we believe that stealing passwords or potentially exploiting\r\nvulnerabilities in iOS and in legitimate applications may be the true purpose of XcodeGhost.\r\nhttp://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/\r\nPage 3 of 4\n\nAcknowledgement\r\nThanks to Luyi Xing from Indiana University for providing knowledge about password management tools. Also,\r\nmany thanks to @Saic on Sina Weibo for identifying potential behaviors in XcodeGhost.\r\nSource: http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-a\r\npps/\r\nhttp://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/" ], "report_names": [ "update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446532, "ts_updated_at": 1775791832, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6c9d98012baf8328cf319d7547df2ce03378ab9b.pdf", "text": "https://archive.orkl.eu/6c9d98012baf8328cf319d7547df2ce03378ab9b.txt", "img": "https://archive.orkl.eu/6c9d98012baf8328cf319d7547df2ce03378ab9b.jpg" } }