How to detect XCode Ghost

With NetworkToolbox and the new connections tool, it is relatively easy to detect Apps that are containing the so called XCode Ghost code.

For this, similar to the general explanation, just start NetworkToolbox and open the Connections tool.

The screen is divided into three different sections. The first, External TCP connections is the interesting one. The number on the right side of this line shows the number of connections. If there are too many (maybe more than five), just wait a while and press the refresh button at the top until this number decreases to less then five.

Connections Tool

Then, switch to the App you would like to inspect, in my case the “infected” CamScanner App. Play around with the App and then switch back to NetworkToolbox. Then press the refresh button.
Now you will see many more connections, all caused by opening and using CamScanner. Next, tap on the External TCP Connections and you will see a list of connections like those shown below:

xcode-ghost

As you can see, there is the suspicious domain init.icloud-analysis.com. This proves that this App “calls home” to that domain and is “infected”