Malware in Developer Tools: Wolf in Sheep’s Clothing?

Malware in developer tools is an insidious threatImagine having to cook food with contaminated ingredients. How would you like worm-infested potatoes, meat infected with tapeworm, and claim to have cooked a healthy meal?

Mapping the analogy to app development, how safe would it be if the very tools we use for building apps and other software are themselves corrupt with malware? For now, we have assumed that hackers and cyber terrorists are at their wit’s end trying to infiltrate existing apps with their ingenuity and guile. This scenario may become a thing of the past if they can comfortably enter developer tools with their malicious code.

The narrow escape with XCode

To the uninitiated, Xcode is an integrated development environment- a suite of tools for developers created by Apple to create software for iPhone, iPad, Mac and Apple Watch. Rumors on China’s social network Seina Weibo broke out stating that a malicious version of Xcode called XcodeGhost was out which allowed hackers to place malicious apps on Apple’s app store, bypassing their code review process. The terrible news was that the malware could affect normal as well as jailbroken Apple devices.

XcodeGhost could read sensitive information on devices and upload them to the hands of the hackers. The infected phone could be a target of phishing, get exploited through the vulnerabilities of iOS and its clipboard could be set up to read passwords which could spell doom for the user. Close to 4000 apps on iOS were infected which included WeChat, NetEase Cloud Music, WinZip, Didi Chuxing, Railway 12306, China Unicom Mobile Office and Tonghuashun and even Angry Birds 2. On the part of Apple, the company purged suspicious apps from its store.

The denial of service attacks on Github

Code sharing repository website Github reported a massive denial of service attacks on its website. The website has copped two such DDoS attacks this year. The perpetrators of the attack were traced to a Chinese firewall which used JavaScript codes to cripple the website causing to crash. Moreover, numerous accounts of GitHub were compromised in 2013 which led to the website imposing greater scrutiny on the strengths of passwords.

The lurking snoop troops

It was alleged that the Central Investigation Agency (CIA) tried to corrupt Xcode as a part of its sinister designs to breach the security and privacy of multiple Apple devices. However, it is unclear how the investigation behemoth wanted to use the data. Naturally, the CIA declined to comment on the issue.

Such instances make us shudder about our privacy and the crippling demerits of the smartphone revolution. Smartphones in today’s world are indispensable and we have an insane amount of data and transactions reliant on them. User discretion is advised when it comes to downloading apps and needless to say, it is best to install only those applications which serve any purpose.

Applications accessed either through computers or mobile devices are the easiest points of entries into your enterprise network. Once a machine is compromised, it is only a matter of time before your entire data center is taken over.

With the attack patterns on mobile devices growing exponentially compared to its adoption rate by enterprises, it is of highest importance for enterprises to ensure that their device access policies and protection mechanisms are top of the line. Aleph Tav Technologies has been offering preemptive threat monitoring, detection and analysis for developers.

  • Seamlessly integrating itself into the SDLC and DevOps strategies, the 24/7 threat protection suite guarantees advance risk mitigation guidance for your applications, helping you rectify vulnerabilities well before an intruder sniffs them.
  • Keeping processes simplistic and streamlined, we create secure development environments without wasteful spending and disruption of production schedules.

Get in touch for a PoC.

Leave a Reply

Your email address will not be published. Required fields are marked *

* Please enter the Characters - [Case Sensitive]