From here[1]:

> Remote control security risks

> XcodeGhost can be remotely controlled via commands sent by an attacker from a Command and control server through HTTP. This data is encrypted using the DES algorithm in ECB mode. Not only is this encryption mode known to be weak, the encryption keys can also be found using reverse engineering. An attacker could perform a man in the middle attack and transmit fake HTTP traffic to the device (to open a dialog box or open specific app for example).

> Read and write from clipboard

> XcodeGhost is also able, each time an infected app is launched, to store the data written in the iOS clipboard. The malware is also able to modify this data. This can be particularly dangerous if the user uses a password management app.

> Hijack opening specific URLs

> XcodeGhost is also able to open specific URLs when the infected app is launched. Since Apple iOS and OS X work with Inter-App Communication URL mechanism (e.g. 'whatsapp://', 'Facebook://', 'iTunes://'), the attacker can open any apps installed on the compromised phone or computer, in the case of an infected macOS application. Such mechanism could be harmful with password management apps or even on phishing websites.

> Stealing user device information

>

> Then the malware will encrypt those data and send it to a command and control server. The server differs from version to version of XcodeGhost; Palo Alto Networks was able to find three server URLs:

> http://init.crash-analytics.com, http://init.icloud-diagnostics.com, http://init.icloud-analysis.com

> The last domain was also used in the iOS malware KeyRaider.

[1] https://en.wikipedia.org/wiki/XcodeGhost#Behavior_on_infecte...

[2] https://blog.lookout.com/blog/2015/09/20/xcodeghost

[3] http://researchcenter.paloaltonetworks.com/2015/09/malware-x...

[4] https://arstechnica.com/information-technology/2015/09/apple...

[5] http://www.reuters.com/article/2015/09/20/us-apple-china-mal...

[6] http://www.nytimes.com/2015/09/21/business/apple-confirms-di...