Malicious Xcode could spread via download manager Xunlei
What’s at stake?
We reported last week that popular Chinese iOS apps were compromised in an unprecedented malware attack. We discovered that the source of the infection was compromised copies of Xcode hosted on Baidu Pan. Apple has published an article urging developers to download Xcode directly from the Mac App Store, or from the Apple Developer website and validate signatures. We’ve now discovered that even if a developer uses a download link seemingly from Apple, he might still be possible to obtain a compromised copy of Xcode.
Please note that we do not have evidence that such attacks has happened. But it is an easy attack that anyone can implement.
How does it work?
This compromise happened because of Xunlei. Xunlei is the most popular download manager in China. Much of its popularity is due to the fact they can accelerate download speeds by pulling resources from other Xunlei users as well as cached copies on the Xunlei server. All of this, however, is invisible to users. Users can simply enter a regular http download address into Xunlei download manager and the download will start. Chinese developers were using direct download addresses such as http://adcdownload.apple.com/Developer_Tools/Xcode_7/Xcode_7.dmg to download Xcode.
Because of Xunlei’s P2P and server cache, download speeds would be much faster than the Mac App Store. Downloading via Xunlei also means that developers do not need to be enrolled in the Apple developer program. Direct downloads of Xcode via the developer program cost $99. Because the URL belongs to Apple, users were tricked into thinking that the download link was authentic and hence the Xcode copy. But in actual fact, the file is not authentic because it comes from Xunlei’s P2P and server cache.
The way to “host” a compromised copy of Xcode on Apple’s server is to trick Xunlei locally and let the error propagate. For example, a malicious user can hijack adcdownload.apple.com locally via host file and download from a non-exsistant URL http://adcdownload.apple.com/xcode-fake-126.96.36.199.dmg. Xunlei will then correlate this URL with the file specified by the malicious user and provide this file to other innocent users.
This is what actually happens when you use Xunlei to download http://adcdownload.apple.com/xcode-fake-188.8.131.52.dmg
But if you look at the details of the download source, you can see that 0% of the download is from the original server (i.e adcdownload.apple.com) while the server cache accounts for 26% and P2P accounts for 3% of the download.
You can also see that attempts by Xunlei to connect to adcdownload.apple.com were redirected to https://developer.apple.com/unauthorized/ because Apple only allows users in the Apple developer program to access the page.
Malicious attackers can poison Xunlei with a URL similar to a real Apple Xcode URL and then post the fake URL on forums and download sites. Most Chinese users by default use Xunlei to download. In fact, they have to if they are not enrolled in the Apple developer program. Most will have a compromised copy of Xcode, seemingly downloaded from Apple.
What can developers do to prevent future attacks?
Our suggestions are exactly the same from our last blog post.
Always download Xcode from the official Mac App Store. For other developer tools, always download these from official sources.
Always check the digital signature of developer tools. It is irresponsible for developers to ignore signature warnings. Xcode clearly should have been signed by Apple; all other versions should have produced user warnings.
Separate your development system with your everyday system. Development systems should be used solely for development and not for browsing random sites. If physical separation presents too much of a problem for developers, at the very least, a dedicated user account for development should be used.
Xunlei users should be cautious
As demonstrated above, Xunlei cannot be trusted to download the correct file, even if the download link is HTTPS. Users should manually check hash after download or use the browser’s download function.