Understanding XcodeGhost: How It Operates and How to Detect It

In recent weeks iOS developers have been repeatedly exposed to XcodeGhost, a malicious Xcode modification that has appeared in many apps, including well‑known ones.

The author of XcodeGhost claimed the code was an experiment and released the source, but analysis shows it behaves like a trojan.

XcodeGhost's Ghost: What It Does

Reverse engineering and the published source reveal two main capabilities:

1. Reporting Information

It sends reports to the server icloud-analysis.com containing app version, app name, language, iOS version, device type, country code and other details.

These data leaks are generally low‑risk.

2. Issuing Commands

Through response packets it can issue commands using the openUrl system interface, allowing it to open other apps, specific web pages, send SMS, make calls, etc. Actions other than opening a Safari page require user confirmation.

Potential threats include prompting users to install enterprise‑signed apps, which could then use private APIs for further attacks such as remote control (e.g., the Hacking Team RCS exploit), effectively taking over the iPhone. iOS 9 mitigates this by requiring additional certificate trust steps, but older iOS versions remain vulnerable.

The malicious server is currently offline, so the immediate threat is dormant, but could resume if re‑activated.

How to Detect XcodeGhost

Detection methods:

Compare the SHA values of the official Xcode installer with the locally installed version.

Check the Xcode installation directory for malicious library files. The infected version contains a CoreService library under the SDKs/Library/Frameworks path, which the official version lacks.

/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/Library/Frameworks/CoreServices.framework/CoreService

If an infected Xcode is found, delete it immediately and reinstall from official Apple sources (App Store or developer.apple.com), avoiding third‑party download accelerators.