Suspects of XcodeGhost malware attack this September are now under arrest. An anonymous source shared some inside stories with Huxiu. Here are a few things we are able to tell you:
1. The hacker team behind XcodeGhost started their plot as early as in February this year, however, it was not found out until September.
2. The conspiracy was caught when a developer on the Tencent Wechat team downloaded and programmed with his Xcode infected by XcodeGhost. The engineer then compiled and put an "infected" version of Wechat for users to update, which received many complaints about a severe delay on the first day of its release. After technical analysis, investigators detected a suspected communication between the WeChat and the hackers' servers used to collect users' confidential information.
3. The hackers’ server broke down due to the overwhelming data flow sent by the enormous amount of Wechat users, therefore the delay. WeChat was not the first App being infected but no apps has ever had such an impact on the hackers’ server, which was why they managed to remain in the dark until September.
4. The kingpin of XcodeGhost graduated from Shandong University of Science and Technology and was recommended for admission to Chinese Academy of Sciences to pursue his master’s degree. Later he dropped out of school and went back from Beijing to east China Shandong Province, which is quite abnormal in China because young college student tend to stay in metropolis.
5. The investigators had also found direct evidence of the ringleader’s identity from a post on the BBS of Shandong University of Science and Technology, in which he revealed his mobile number, QQ and email.
6. Our suspect graduated from Shandong University of Science and Technology in 2010 and no longer has the access to the school internal BBS. So he broke into its database and deleted his contact information in that post.
7. This hacking caught researchers’ attention, for it is quite unusual to modify a post in this way five years after graduation.
8. The investigators regained the original post along with the ringleader’s mobile number and finally determined his identity.
9. How did they get the original post? Well, it's Baidu cache.