This site uses cookies for anonymized analytics. For more information or to change your cookie settings, view our Cookie Policy.

Detecting XCodeGhost Activity

Detecting XCodeGhost Activity

Detecting XCodeGhost Activity By Monitoring HTTP Traffic

Apple are presently working on issues with malware (XCodeGhost) in their App Store. According to this blog post, over 50 iOS apps contained malicious code that made iPhones and iPads part of a botnet that stole potentially sensitive user information including:

  • Application name
  • Application version
  • OS version
  • Language
  • Country
  • Developer info
  • Application installation type
  • Device name
  • Device type

One of the quick ways to check for suspicious activity on your network is to look for HTTP or DNS traffic associated with:


Lately criminals have been targeting user of mobile devices more as people are less cautious on mobile devices than on desktops. This attack also highlights how security awareness is so important throughout the application development process. Everyone from the developer from the end user needs to be alert. In this incident developers were tricked into using counterfeit software to build their applications which created an ideal environment for malware to spread.

Detect XCodeGhost Activity on YOUR Network Using LANGuardian

Use the advanced deep packet inspection features in LANGuardian to track down XCodeGhost Activity on your network. Active Directory integration also lets you see the associated username.

The BBC is reporting that the majority of people affected by this attack were in China. However, we would recommend that you check your own network for activity, especially if you allow mobile devices to connect to the corporate network.

A recommended approach to do this would be to use network packet capture. Tools which use NetFlow (or other flow source) are poor when it comes to web usage tracking. Packet capture allows you to look inside HTTP headers where interesting data like User-Agent can be found.

You can use a free tool like Wireshark or a commercial product like LANGuardian. Once installed you should setup a SPAN or mirror port to get a copy of network packets going in and out of your Internet connection. This is a passive monitoring approach so you wont need to install client or agent software on all of your network devices.

Deep packet inspection (DPI) based monitoring also works whether you have a proxy or not, just need to sniff the traffic at the correct location. Many organizations are not using proxies these days because they are a potential bottleneck, another inline device that can degrade performance or cause issues. If you do not have one and need visibility, you  have the option of using a SPAN port or port mirror.

The following video shows how you can setup a SPAN or mirror port to monitor Internet or mobile device activity. This is an ideal way for detecting HTTP or DNS traffic associated with XCodeGhost. Even if you don’t have a problem today, you should get familiar with the concept so that you are prepared for the next big security issue.

Our support team is here to help if you have any questions about detecting XCodeGhost activity on your network. Contact information can be found at the very top of this blog post. Use the following procedure if you want to use LANGuardian for detecting XCodeGhost activity.

  1. Enter websites in the find field which is located in the top right of the GUI
  2. Select Web : Top Websites & URI
  3. Search for or by using the website name filter.
DNS traffic associated with XCodeGhost

Please use the comment section below if you have any feedback or further information for detecting XCodeGhost activity.

Darragh Delaney