Android Malware Hummingbad Infects Millions of Devices

hummingbad android malwareMillions of Android devices (about 10 million to be more exact) are infected by Hummingbad, a piece of malware that gains root access, installs malicious apps, and dupes users and ad networks in an elaborate fraud campaign. This is what researchers from Check Point discovered after a 5-month long study. While ad networks are currently the main victims, the level of sophistication of these attacks can potentially threaten a lot of businesses.


Infection and attack

Hummingbad primarily uses a drive-by download attack to infect devices. That means, your device can get infected if you happen to visit one of the attackers’ malicious websites even if you don’t intentionally download anything.

The attack consists of two main components:

  1. One that utilizes a rootkit designed to exploit a wide selection of vulnerabilities in order to ultimately gain access to the system
  2. One that’s called into play if the first component fails. This one displays a fake system update notification in order to deceive the user into granting the malware access to the system.

Even if Hummingbad fails to gain system-level access, it is still able to download several malicious apps. These apps display ad banners and force users to click on them. Because the ads actually belong to legit ad networks like Mobvista, Cheetah, the attackers are able to collect their share of the ad revenues from those clicks. It’s believed that the attackers earn about $300,000 per month from this exercise alone.


How Hummingbad can affect your business

The fact that Hummingbad can gain root access and install other malicious apps makes it a serious threat to enterprises. With most everyone bringing smartphones and/or tablets to work, either unofficially or through a BYOD (Bring Your Own Device) program, it’s likely that there is work-related data on their devices.

With the level of access Hummingbad is capable of acquiring, it’s not a stretch to imagine the malware operators – or even copycats – to eventually introduce features for exfiltrating sensitive information stored in the victim’s device. The stolen data can then be sold to fraudsters and identity thieves.

Attackers may also sell access capabilities similar to the way server login credentials were sold at online marketplace xDedic. Other possibilities include putting together all these compromised devices (we’re talking millions) into botnets or using some of them to carry out targeted attacks on people with sensitive positions (e.g. system admins or C-level executives).

Any of these attacks can cause considerable harm to your organization.

While most of the victims are located in Asia, Android users in the United States haven’t been spared completely, with about 286,800 victims in the US.


Upgrading to the latest version mitigates the risk of infection

According to the study, a combined 90% of all infected devices were running on Jelly Bean (40%) and Kitkat (50%). These are old Android versions that were first released in July 2012 and October 2013, respectively. By comparison, only 1% of those infected were running Marshmallow, the latest version.

This underlines the importance of upgrading to the latest version. Upgrades may include security updates designed to patch known vulnerabilities. Such updates are especially critical in devices running the Android OS, where vulnerabilities abound. Early this month alone (July 2016), Google released its largest ever security update for Android. That single update addressed an astounding 108 vulnerabilities.

For more information about this malware and how to avoid getting infected, contact us now.

Your Server Could be for Sale – For Only $6


What can hackers do to a server once they’ve broken into it? A lot. Some install malware and make it part of a botnet. Others steal valuable data stored within. Still others, like those mentioned in this post, sell login credentials at shady marketplaces in the Dark Web.

Hot Offer

Thousands of servers for sale

Earlier this month, researchers at Kaspersky revealed yet another alarming discovery in the field of cybercrime. Login credentials to over 70,000 hacked servers were being sold at an online marketplace known as xDedic. Like many underground online marketplaces where tech-savvy crooks trade illicit goods, xDedic can only be reached through the Dark Web.

Apparently, hacked servers are very affordable. Prices for hacked servers were found to go as low as 6 USD. Most of the servers were located in Brazil, China, Russia, India, Spain, Italy, France, Australia, Republic of South Africa, and Malaysia.

Launched in 2014, xDedic gained its reputation as a leading source of compromised server login credentials when 3,000 servers were added to its inventory sometime in 2015. Business has boomed since then.


Tools of the trade

xDedic not only provides a platform for buying and selling hacked servers. It also offers both buyers and sellers tools they can use in finding servers that suit their specific objectives as well as carrying out remote administration via RDP.

One example is a tool used by sellers to scan a hacked system and obtain relevant information such as the Windows version, size of RAM, type of CPU, whether ports 25 and 80 are open, type of VM used, antivirus installed, upload/download speeds, and so on. The same profiling tool is used to search for an RDP service on the server and then to patch it if any is found.

The patch modifies the RDP settings to allow multiple user logins, which would enable a buyer to access the server without alarming the server’s legitimate administrator. The buyer could then access the hacked server through xDedic’s own RDP client.


What can buyers do with a hacked server?

A hacked server can open up a lot of opportunities to a buyer, especially one who operates in the cybercrime industry. Because most of these servers have not yet been blacklisted by blacklisting engines and web reputation sites, they’re perfect for a variety of cyber attacks, including ransomware, malvertising, DDoS, phishing, and many others.

Of course, if a server also happens to store or provides access to storage systems that contain sensitive data, a buyer who specializes in identity theft could have a field day.

The Kaspersky researchers observed a marked interest for servers containing accounting, tax reporting and point-of-sale (POS) applications. Apparently, buyers need these applications for carrying out fraudulent operations. By making use of existing software, attackers can avoid arousing attention.


What countermeasures can help?

Servers that end up at xDedic acquire certain characteristics that can help cybersecurity specialists determine whether a server has been hacked. For instance, the profiling tool mentioned earlier, which is installed on a hacked server after the server is compromised (usually through brute-force attacks), communicates with certain Command-and-Control locations.

In addition, it has been found that the hacked servers are also infected with other pieces of software, including a certain Trojan, bitcoin mining software, and a wrapper for a proxy tool, among perhaps others. For more details about xDedic and these malicious tools, refer to the Kaspersky report on the subject.

Of course, prevention is always preferable to treatment. Once you’ve determined that your servers are safe, you should carry out server hardening to prevent future compromises.

Need help in determining whether your servers have been compromised? Contact us now for a free Harbinger network risk assessment.

The Secrets Behind Ransomware’s Surging Notoriety


Ransomware and the interest around it is surging. A quick look over time at Google Trends reveals an astounding visual representation of the growing interest…


The first ever malware that could be classified as ransomware emerged way back in 1989. Known as the AIDS Trojan, that particular piece of malware hid directories and encrypted filenames, in turn causing its victim’s computer to be unusable (just like today’s CryptoLocker, Locky, Teslacrypt, Cryptowall, and CTB-Locker). To regain control of their PCs, victims had to send money to a Post Office box.

As the graph above shows, ransomware has never before achieved the level of notoriety that it enjoys today. So why are we seeing this growth now?

In this post, we take a closer look at the key drivers fuelling this rapid ascent to infamy. But first, let’s briefly discuss what ransomware is.


What is ransomware?

Ransomware is a piece of malware that, as it name implies, involves ransom money. Once it gets installed on your computer, the malware holds digital assets (in most cases, files) captive and prevents you from retrieving or viewing them. Just like your typical kidnap-for-ransom criminal, it then declares an ultimatum – either you pay a ransom or your files go kaput.

This malware will usually block access to files by locking the screen or encrypting the files themselves. To regain access, you need to pay. Ransom payment is typically done through bitcoins or other electronic payment methods like Ukash, Paysafecard, or MoneyPak. Most systems get infected with ransomware when their users inadvertently download trojans through either phishing emails or malicious websites.

Some ransomware can infect entire establishments, which is what happened to a large hospital in Hollywood. The entire network of the Hollywood Presbyterian Medical Center was locked down by ransomware whose controllers demanded payment in exchange for the “freedom” of the locked patient files.

So why is ransomware fast becoming so popular?


Technology has arrivedransomware1

Back in 1989 (specifically as depicted by the AIDS Trojan) the idea of ransomware was clearly ahead of its time. It spread through floppy disks and encrypted files through symmetric encryption. Floppy disks had to be distributed by hand (literally), while symmetric encryption suffered from the necessity of having decryption keys accompany the trojan files themselves.

Today, trojans that carry the ransomware payloads can spread much faster through the Internet and other connected networks. Encryption is also now asymmetric, which allows the attacker to tuck the decryption key away in a safe location.

Last but not the least, payment can now be done without the hassles of having to deposit to a physical location. Electronic methods like bitcoins and Ukash allow ransom payment to be delivered in just a few clicks.

There’s also a psychological aspect to it.


Instant pain = instant gratification

For the victims, the impact of a ransomware infection can be felt instantly. They can no longer use their computer and they can no longer access important files. Those effects are different from a data breach wherein, although the potential legal repercussions and damage to reputation are known, they’re not felt immediately.

What’s more, the solution to the problem is clear and easily achieved. To get out of their predicament, victims simply have to pay. If they can afford it, many of them will pay. This reaction of course plays into the hands of the crooks responsible for these attacks because it makes these operations highly lucrative.


$$$RANSOM$$$ = funding for R&D

So then it becomes a vicious cycle. The more victims pay, the faster these cybercrime syndicates get their ROI. The crooks then have enough to invest into research and development. That’s why ransomware like CryptXXX are getting updated and acquiring additional malicious functions.


Countering ransomware

Ransomware infection can be prevented through a combination of proper education and the right malware detection and prevention solutions. For example, users must be trained how to identify suspicious email attachments as well as who to contact in the event that one is encountered. In conjunction with that, your network must be secured by advanced anti-malware solutions that are capable of detecting malicious activity.

Vulnerabilities in ImageMagick Library



A large majority of the applications running on the Web today rely on free, open-source libraries. These pieces of software are responsible for many of the features that we often take for granted. While these software suites enable developers to build web applications quickly, they can also be problematic.

When these libraries have vulnerabilities, all he servers that depend on their code become sitting ducks until a patch is made available. That’s what’s happening now with ImageMagick, which has been found to have multiple vulnerabilities.


What is ImageMagick?

ImageMagick is a commonly used library that enables applications to manipulate images in bulk. It supports a wide range of image formats (at least 200) including png, jpeg, bmp, cgm, ico, and many others. Through this library, applications can, for instance:

  • Convert images from one format to another;
  • Create thumbnails of uploaded images;
  • Reduce the number of colors in an image through color quantization or posterization;
  • Carry out dithering;
  • Resize, rotate, flip, and crop images; or
  • Generate animated GIFs out of a series of images

These are just the basics. It can also perform discrete Fourier transformations, morphology, pixel distortions, color management, and many other complex image-manipulation tasks.


Where is it used?

Because of its versatility, several major programming languages have implemented bindings for the ImageMagick library. For example, Java has JMagick, C++ has Magick++, Python has PythonMagick, PHP has IMagick, and so on.

Consequently, it has become ubiquitous and is usually the underlying code responsible for image-manipulation features in:

  • Content management systems like WordPress and Drupal (that means, over half of the blogs out there rely on it for image processing);
  • Social media sites;
  • Forums (e.g. phpBB); and
  • Wikis

Possible exploitsbad-bug

There are currently a handful of known vulnerabilities in ImageMagick. But the two most alarming are CVE-2016-3717, which allows remote attackers to read arbitrary files through a crafted image and CVE-2016-3714, which allows remote attackers to execute arbitrary code in a crafted image.

The latter, now dubbed ImageTragick, is the more serious of the two. In layman’s terms, that particular vulnerability, once successfully exploited, would allow attackers to remotely control a compromised web server.  The attackers could, for instance, gain access to all system files, spread malware, steal sensitive information, or cut the entire system off the network. In other words, they would be able to do practically anything they want to on a compromised system.

Early this month, a bug bounty hunter discovered the CVE-2016-3714 vulnerability on one of Yahoo’s domains and was awarded a $2000 bounty for it. If this security flaw managed to go unnoticed at one of the largest Internet companies in the world, how do smaller organizations fare?.

Even when the vulnerability was first discovered, security researchers already believed that it had already leaked to other individuals. And because the exploit is rather basic, the number of threat actors were expected to multiply quickly.

The developers at ImageMagick have released multiple patches, now the onus is on admins and security teams to make sure that their systems are up to date.

BillGates – The Botnet That Spares Windows Machines

Gone are the days when Linux machPenguin-ID11834-640x427ines had that reputation of being immune to malware. Today, Linux systems, like their Windows counterparts, can even be ensnared into botnets that launch highly disruptive DDoS attacks. One such botnet family has been gaining considerable attention of late, largely in part because of its name – BillGates.

Much to the chagrin of Linux zealots, the BillGates malware is designed to infect only Linux machines. BillGates, which is based on the Elknot’s malware source code, is believed to be aimed at the same targets as XOR DDoS, a trojan that gained notoriety in 2015 but was eventually subject to a takedown by the authorities.

Like XOR DDoS, BillGates infects Linux systems and then allows attackers to control the infected machines through one or more C2 (command-and-control) servers. In most cases, the zombie computers are directed to conduct DDoS attacks. This particular toolkit supports a variety of attack vectors, including: ICMP flood, TCP flood, UDP flood, SYN flood, HTTP Flood (Layer7), and DNS query-of-reflection flood.


How BillGates infects and attacks

Unlike most botnet malware, BillGates doesn’t use phishing to infect. Instead, its attackers carry out brute force attacks on Linux SSH services in order to acquire root login credentials. Once they’ve acquired the passwords and gained access, the attackers then execute a bash script that would in turn download and run the malware on the compromised machine.

As soon as the malware is installed, it then performs a handful of functions that include the following:

  • Carry out persistence mechanisms. This is to ensure that it’s able to infect the host for as long as it needs to;
  • Replace system tools with corrupted versions. BillGates replaces tools like /bin/netstat, /bin/lsof, /bin/ps, and others that may be used for checking the integrity of the system. If, for example, /bin/ps is replaced, you won’t be able to view the actual processes running on your system.
  • Check its own health and integrity. If it discovers that something’s amiss, BillGates re-executes the main program and re-infects the host.
  • Contacts its C2 and executes commands. Once everything is in place, the malware communicates with its C2 server, receives commands from the server, and then executes the commands, which range from launching DDoS attacks to executing shell commands.

Like many nefarious kits these days, BillGates comes with a “builder” which allows just about anyone to create their own version of the malware. Thus, several botnets running their own variations of BillGates could be attacking their own separate targets around the globe as we speak.

More details can be found in Akamai’s threat advisory


Countering botnets

Because botnets pose such a serious threat to business, it’s important to prevent, detect, and act on botnet infections. We can help you in that regard. Our deep understanding of botnets has enabled us to assist businesses in countering some of the deadliest botnets ever. Please visit us online for more details and to register for a free online session.

Stack Buffer Overflows – Old Exploits Never Die

Buffer overflows remain one of the most highly exploitable vulnerabilities on the Internet. Just last month (Feb 2016), researchers from Red Hat and Google discovered a bug in the GNU C Library a.k.a.  Glibc that made machines running the glibc package vulnerable to stack-based buffer overflow exploits.

The glibc package is found in several Linux distributions, including those running on servers as well as some routers and other network devices, so the potential scope of impact is quite extensive. Fortunately, a bug fix has already been released and hopefully the majority of the affected machines should have been patched by now. Nevertheless, it doesn’t change the fact that buffer overflows continue to be a threat to information security.

Continue reading Stack Buffer Overflows – Old Exploits Never Die

Shadow Puppets – Domain Shadowing 101

Earlier this year (2016), WordPress sites were attacked by a massive malvertising campaign that employed an evasion technique known as domain shadowing. Domain shadowing is becoming increasingly popular among cybercriminals who employ exploit kits because of its superior ability to avoid detection. In this post, we explain what domain shadowing is, how it’s employed, why it’s so effective, and some of the ways to counter it.

What is domain shadowing?
Domain shadowing basically refers to the cybercriminal exercise of infiltrating multiple domain registrant accounts in order to spew forth several subdomains for malicious purposes.

Cyber criminals are able to acquire login credentials to these registrant accounts through methods like phishing and keylogging. Once they’ve gained access, these malicious individuals then create a large number of subdomains. These subdomains could then allow the crooks to carry out attacks behind perfectly legitimate domains, which make the attacks both hard to detect and counter.

domain_shadowingIn the exploit kit campaign discovered by Cisco’s Talos Group during their initial encounters with domain shadowing, the hijacked subdomains were set up in two layers. The first layer of subdomains, mostly third level subdomains (e.g., received traffic from the malicious ads served on legitimate web pages and then redirected the traffic to the second layer.

This second group of subdomains, now mostly fourth level subdomains (e.g., in turn hosted exploit kit landing pages. The exploit kit then scanned the victim’s system for vulnerabilities and infected it with malware that would in turn set the system up for more nefarious acts. The number of subdomains on this group is much larger than the first and are rotated rapidly.

Why domain shadowing is so effective

One of the reasons why this technique is so effective is that registrant accounts are rarely checked. Perhaps the only times they’re ever opened are when they’re created, i.e. when the owner registers his/her first domain, and when the owner adds new domains.

Thus, these accounts are only accessed by their real owners about once or twice a year. This gives the attackers ample time to create illegitimate subdomains without getting noticed.

Another reason is that when the subdomains are finally called into play in an attack, they’re rotated rapidly. In fact, each subdomain may not stay active for more than an hour, depriving security groups the time to gather enough information and come up with any meaningful analysis about the attack.

Thirdly, domain shadowing is immune to many of the countermeasures being used today. For instance, domain reputation systems, which assign scores to known domains and block or allow traffic from certain domains based on their scores, can have limitations when used against domain shadowing. If the malicious subdomains are built off of reputable domains like say, they can easily slip through.

Some people are suggesting that since the fourth level subdomains used in domain shadowing are usually made up of random alphanumeric characters, these kind of subdomains might be used as a basis to issue red flags. Unfortunately, several cloud based services also use such random naming conventions for the subdomains they generate, so using this characteristic as a filter can cause problems with false positives.

Clearly, any effective way of countering domain shadowing would require a combination of several approaches. First of all, domain registrants’ accounts must secured. Strong authentication, preferably 2FA, must be required in order to access these accounts to prevent them from being compromised. Reputation-based systems can also help in detecting malicious subdomains but, as stated earlier, must not be the only method.

Defence Intelligence solutions can help you prevent, detect or counter domain shadowing. To learn how, contact us today.

Google’s Latest Safe Browsing Update: The End of Fake Download Buttons?

You’ve probably browsed pages – some on well-known high traffic sites – that are full of ads with fake download buttons that took you further away from what you were actually searching for, to dark corners of the internet you’d never willingly visit and software you regret downloading. The real intent of these deceptive ads? Malware. Although they’ve been around for quite a while, they are becoming more prevalent. Some don’t even require a click to pass on an infection.

Here are some examples you probably recognize:

error1 error3error2

Good news for those of you who may not recognize these deceptive ads: Google’s Safe Browsing update aims to minimize your exposure to them. Recently, Google announced a new Chrome feature – as part of its Safe Browsing update – that warns users when they are about to visit sites with these call-to-malware ads. This means that any pages that mimic trusted entities (like your device, browser or the actual site) and trick you into disclosing sensitive information like passwords (that you’d typically only disclose to a trusted entity) will now be flagged by Google. Opening such site would give you the following warning:


The update is turned on by default in Chrome. You can switch it on and off by checking or unchecking the “Protect you and your device from dangerous sites” box located under Preferences in Chrome (Preferences → Settings → Advanced → Privacy).

The ultimate question is: will Google’s latest update keep you completely safe from call-to-malware ads? The answer is most definitely “no.” Even when combined with ad blocking software or applications, Google’s Safe Browsing may not be able to completely keep these ads at bay.

For example, earlier this year, Forbes forced visitors to disable ad blocking software before they could read its content. Since Forbes serves a ‘quote of the day’ and an ad before directing visitors to main content, Google does not accurately cache the page’s content/data. The result was that users were immediately served malware after they disabled ad blockers. Other high profile sites like the New York Times have been victim to similar attacks.

It also looks like it will take a while for Google to compile a comprehensive list of flagged sites. If your site has been flagged, you can follow these instructions to fix the issue.

While Google’s latest Safe Browsing update is an important step towards making the internet a safer space for us, we certainly won’t see the end of malware ads just yet.

Why ‘EmailGate’ Isn’t Just a Problem for Clinton

The U.S. elections of 2016 have resulted in some of the most heated debates across a number of contentious issues. The personalities involved in the run up to the November presidential election are an explosive mix and the resulting accusations and mudslinging makes for great TV.  The accusations range in tone from almost playground jibes, such as the one made towards Cruz, by Trump, saying his Canadian birth could make the senator “vulnerable”, to serious accusations that could materially impact the candidate’s status. Jibes like this may muddy the electoral waters, but the more serious accusations that we’ve seen recently against Hillary Clinton, can have much further repercussions.

Hillary_Clinton_Testimony_to_House_Select_Committee_on_BenghaziHillary Clinton and ‘Those Emails…’

Around this time last year, there was a bit of a storm around Hillary Clinton, then secretary of state, who had been revealed as using a private, home-based, server to manage her emails. At the time, she was accused of using this system to prevent freedom of information requests and searches. Clinton defended herself by saying the emails were not deemed as ‘classified’, something that has since been hotly disputed. The press lambasted her for creating her own, ‘homebrew’ email system; the security of which was uncertain and which gave her powers of control over her emails that rankled those wanting transparency from their politicians. This level of irritation over the use of a personal server was not unfounded. If an issue of state security did occur, it would be vital to have full disclosure of emails. We would then have to rely on Clinton’s word that she had disclosed them, or that she could prove no malicious disclosure had occurred – not an ideal situation for any government to have to deal with. Just to give you an idea of the scale of this issue, so far 1200 emails from that homebrew sever have been checked and retro-actively marked as ‘classified’.

The truth of the matter may never fully come to light, but the story of Hillary Clinton’s ‘EmailGate’, rumbles on. We are now finding out that some of those emails Clinton originally stated were not classified, were in fact, top secret emails.

Trump, a master of marketing, has of course used this to his own advantage. He is using ‘EmailGate’ to damage Clinton’s reputation because of her poor handling of security. Clinton may also find more than her reputation damaged if any subsequent issues come to light, especially around security.


Ignore Security at Your Peril

Poor security choices may well cost Clinton the presidency. But she isn’t the only one damaged by not taking security and privacy seriously. We are currently watching the world of cyber-crime explode; in fact, Senator John Kerry has described the situation as being, “…pretty much the wild west…” and stated that he fully expects the Russians and Chinese to be reading his emails.  In the last few years we have seen a general increase in the likelihood of a successful cyber-breach. Privacy Rights Clearinghouse which is a non-profit U.S. based organization, sets out to spot trends and quantifies breaches. You can go to their ‘data breaches timeline’ and see the level of breaches per year since 2005. In 2010 there were just fewer than 13 million records breached. In 2014 this figure had risen to almost 68 million breached records, and in 2015 there were a staggering 159, 436, 735 records compromised. This means an awful lot of organizations and the people who head them are seeing financial penalties and their reputations damaged.

Cyber-litigation On the Increase: Now it’s Personal

These cyber-breach figures are not only resulting in an awful lot of stolen data, they are translating into litigation. The Federal Trade Commission (FTC) can and does prosecute firms for poor security measures. In 2015 the FTC made a ruling that will impact all companies who are custodians of data, especially of customer data. The ruling came out of the case of the FTC vs. Wyndham Hotel and Resorts where Wyndham failed to give reasonable protection to personal customer details. The FTC can now more readily bring cybersecurity cases to court and prosecute businesses that do not put in place good measures to protect customer data.

The massive breach suffered by retailer Target has resulted not just in reputational damage, but major financial losses. Resulting lawsuits by banks and credit unions associated with the firm have amounted to $39 million; a class action by Target customers is also in progress against the retailer.

And now it’s also getting personal. There is a human impact too, above and beyond the affected customers and the class actions; Target’s CIO, Beth Jacob, ended up resigning over the cyber-breach debacle. Donna Seymour, CIO of the Office of Personnel Management (OPM), who experienced a breach of around 22 million employee records last year, is now being sued because she failed to protect those individuals’ identity data. If this lawsuit is successful and chances are it will be, then we should expect to see more personal lawsuits taken out against executives of breached companies.

Reputation and Security Go Hand-in-Hand

One thing that we can be sure of in the Hillary Clinton ‘EmailGate’ case is that her reputation has been irreversibly tarnished. Reputation on both a commercial and individual level is a very delicate matter and once lost is difficult to put right. Financial losses are one thing and very damaging they can certainly be, but to lose a reputation can mean a previously shining career is ruined. We can no longer hide behind our company lawyers. As executives we need to take control of our cybersecurity strategy and ensure that from the board level downwards, everyone takes security and privacy seriously.

Rotten to the Core – Thousands of Apps in Apple’s Store Infected

A multitude of apps in Apple’s Chinese App Store contained a form of malware that recently bypassed Apple’s code screening process. Researchers at FireEye have found approximately 4,000 apps to be infected with the XcodeGhost malware, affecting hundreds of millions iOS users worldwide. Once downloaded, these malicious applications have the potential to obtain and utilize device and user information, though Apple has saidthey’ve found nothing to suggest any malicious activity as of yet.

Xcode is an integrated development environment (IDE) which contains a suite of software development tools generated by Apple for the development of software for OS X and platforms. XcodeGhost is the malware found in unofficial versions of Xcode downloaded by Chinese rottenappledevelopers. It has the capability to modify Xcode and infects iOS applications. WeChat and Angry Birds 2 are just a couple of examples of popular infected applications that are now being updated in the App Store with malware free versions, while many other iOS applications identified as being infected with XcodeGhost are temporarily unavailable. In conjunction with this, Apple has sent email notifications to affected developers, thus instructing them to recompile their products by official Xcode, and to re-submit accordingly in order to prevent future breaches. Is it too late however? Has the damage been done?

Some are labelling this incident as a “first of its kind security breach” exposing a vulnerability and security gap in Apple’s mobile platform, which was once conceptualized as being the most secure of its kind. It is important to note that there was a failure to identify this malware prior to it infiltrating Apple and its users. How did this happen and how may this have been prevented? With modern day tools and technologies in place to protect against such occurrences, how will organizations such as Apple move forward in addressing this security gap?

What one can deduce from this incident is that, contrary to popular belief, Apple is not in fact more safe and secure than PC/Android. Does this incident mean reduced credibility and competitive advantage for Apple within the market? I suppose that is something yet to be determined. What we do know for certain, however, is that there is a security gap which is very much in existence today. Users, unfortunately, are not as aware as they should be when downloading files and applications, especially when the applications in question are being hosted by a “trustworthy” source such as the App Store.