Developers were inadvertently submitting malware by using counterfeit versions of Xcode, Apple’s development software, to submit apps.
The fake Xcode, dubbed XcodeGhost, would inject malicious code into otherwise-legitimate apps during the submission process.
Apple has now officially acknowledged the malicious app problem and is now removing apps affected by this ‘hack’ from the App Store.
The iOS users who downloaded these apps, first of all. However, the apps analyzed were reportedly only from the Chinese App Store, so it doesn’t look like customers from other areas of the world need to worry.
Any developers who obtained their copy of Xcode from an unofficial source could be affected, as there is a chance their products are not totally above board. XcodeGhost could also affect developers creating enterprise apps. These are apps made by companies specifically for their own employees’ devices, so they don’t have to go through any sort of Apple security check. However, “that’s a pretty obscure attack,” Charlie Miller, a security researcher at Uber who got his own malicious software onto the App Store in 2011, tells WIRED in a phone interview.
Apple Provided The Following Statement To Reuters:
“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple spokeswoman Christine Monaghan said in an email. “We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”
The hackers were somehow convinced developers to use its version of the Xcode tools rather than Apple’s official software (which is available to download for free on the Mac App Store). One theory is that Apple’s servers are slow to download from in China, so developers used this alternative ‘mirror’ (unaware of its true credibility) download for convenience and speed.
Affected apps included versions of WeChat, a very popular messaging app in China. One Chinese security firm said it found 344 apps infected by XcodeGhost but Apple declined to confirm the number. Apps built with XcodeGhost will secretly send device information back to the hackers as well as initiate phishing attacks for more sensitive user credentials.
Most of the apps impacted are targeted at the Chinese market but some, like WeChat, have international appeal. iPhone and iPad users should update their apps immediately to ensure they are on the latest version. It is also good practice to change your iCloud and other account passwords, in case you have accidentally fell victim to one of these phishing attempts.
Update: WeChat reached out to inform us that WeChat version 6.2.6 and later is not affected by the XcodeGhost vulnerability. You can download the latest (clean) version of the app from the App Store now. You can read their full statement on their blog.
The malware in the App Store itself is not concerning, but there’s a broader issue here: the way in which it got past Apple’s screening process in the first place.
“You might completely trust the app developer, and that developer might be completely trustworthy, but this is a case where the app wasn’t,” Miller said. That, and the fact that software made from a tampered version of Xcode found its way onto the App Store, should give developers pause.
What About Consumers, And The People Who Downloaded The Malicious Apps?
They should be only slightly concerned. “I wouldn’t worry too much,” Miller says. The apps that did get through didn’t seem to do any really nasty stuff. “If you made it really, obviously bad, probably [Apple] would catch it,” Miller says.
The bottom line for customers is, if you’ve downloaded one of these dodgy apps, delete it, and keep up with reports of other ones slipping through.