Apple targeted as malware generated by bogus Xcode infects China mobile apps

“Some of the most popular Chinese names in Apple Inc.’s App Store were found to be infected with malicious software in what is being described as a first-of-its-kind security breach, exposing a rare vulnerability in Apple’s mobile platform, according to multiple researchers,” Josh Chin reports for The Wall Street Journal. “The applications were infected after software developers were lured into using an unauthorized and compromised version of Apple’s developer tool kit, according to researchers at Alibaba Mobile Security, a mobile antivirus division of Alibaba Group Holding Ltd. The list of recently compromised iPhone and iPad apps includes Tencent Holdings Ltd.’s popular mobile chat app WeChat, Uber-like car-hailing app Didi Kuaidi, and a Spotify-like music app from Internet portal NetEase Inc.”

“The infected apps can transmit information about a user’s device, prompt fake alerts that could be used to steal passwords to Apple’s iCloud service, and read and write information on the user’s clipboard, according to researchers,” Chin reports. “Apple said in a late Sunday statement that it had taken steps to address the problem. ‘To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software and we are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps,’ the statement said.”

Read more in the full article here.

“The malware was initially flagged by researchers at the Chinese e-commerce firm Alibaba,” BBC News reports. It discovered that the hackers had uploaded several altered versions of Xcode – a tool used to build iOS apps – to a Chinese cloud storage service. Then, about six months ago, the attackers posted links to the software on several forums commonly visited by Chinese developers.”

“‘In China – and in other places around the world – sometimes network speeds are very slow when downloading large files from Apple’s servers,’ explained Palo Alto Networks in a follow-up blog,” The Beeb reports. “‘As the standard Xcode installer is nearly three gigabytes, some Chinese developers choose to download the package from other sources.'”

“Apple does have a security tool – called Gatekeeper – that is designed to alert users to unauthorised Mac programs and stop them from being run. However, it appears the developers must disabled the facility, allowing them to create iOS apps with XcodeGhost,” The Beeb reports. “The majority of people affected were in China.”

Read more in the full article here.

MacDailyNews Take: Ingenious, but now it’s just an attack vector that will no longer be available to criminals. This only makes iOS even more secure than it already is as Apple’s App Store has already constructed a very effective wall protecting against intruders’ malfeasance. If the criminals are resorting to trying to get developers to use fake Xcode versions, you know it’s very, very difficult to get malware into Apple’s App Store.

Criminals are stupid. They wasted this idea without actually using it to get anything of value. Now it’s gone.

New Android malware strains to top 2 million by end of 2015 – July 1, 2015
Symantec: 1 in 5 Android apps is malware – April 25, 2015
Kaspersky Lab Director: Over 98% of mobile malware targets Android because it’s much, much easier to exploit than iOS – January 15, 2015
Security experts: Malware spreading to millions on Android phones – November 21, 2014
There’s practically no iOS malware, thanks to Apple’s smart control over app distribution – June 13, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013


  1. Sorry MDN “criminals are stupid” is a false statement. The smart criminal get away with it and are never caught, and often not even notice. Other are in plain view and are adored. Certain corporations and billionaires for example.

  2. Any developer out there that does not want to be “trusted” no matter what, might fall for a fake version of Xcode. I suspect that we will see a rise due to iOS 9’s ad blocker inclusion. The reason is that GREED will rule as websites looking to just get paid (for nothing of value) will conspire with the malware developers and do anything they can to exploit iOS so they can get useless crap on our iDevices. I also see that Tim and Co. will do EVERYTHING in their power to prevent it.
    I am voting for Apple to protect and serve us on this one.

  3. So, having gone through the hassle of updating my iCloud credentials, I would say one thing Apple can work on is making the process simpler and more seamless. Talk about a pain in the ass. And now I find out the problem affects older versions of WeChat.

  4. That was a very clever vector. And it is good that this one is now shut for good.

    I have no doubt, many will now chime in with their opinion how iOS App Store isn’t impenetrable and how there was malware there as well. Not to mention fandroids, who will collectively have orgasms over this. The bottom line is, the few users who were affected may have suffered some tangible damage, but that was very limited (in numbers, as well as regionally), and vast majority of the world (virtually all outside China) was unaffected. As malware goes, this was by far the worst on iOS, and yet one of the least damaging in mobile space in general.

    The ingenious vector highlighted another problem: accessibility of xCode SDK in China. This is in general why so many people out there still use various torrent sites and other means for obtaining software that is essentially free for anyone to get. While this is something that would require some heavy investments (into server farms and bandwidth inside China), Apple may well want to make an effort to address this problem.

  5. The obvious solution is for Apple to control the way developers can get xCode. Once the software is downloaded there should be a verification process to ensure the code is correct and that is confirmed again when an app is submitted. If network transmission is throttled at China’s border then as has been suggested above Apple need to provide a secure server for developers to access the software internally.

    1. Apple DOES control the way developers can get Xcode. It is only legally available via the Apple Mac App Store or the Developer Connection website. EVERY legal Apple developer knows this. And its FREE!

      What went wrong:
      1) Baidu in China illegally allowed members to upload the FAKE Xcode to their website. No one but Apple has the right to distribute Xcode. Again, all legal Apple developers know this fact. Period. Once this scam was uncovered, Baidu got the clue to take down the fake copies of Xcode.
      2) The ‘excuse’ for developers to download the Baidu copies of fake Xcode has been stated to be that the bandwidth direct from Apple is too ‘slow’ from within China. Apparently, that is due to the abusive ‘Great Firewall’ of China, the product of totalitarianism in that abused country.

      I TOTALLY agree with the requirement of a verification process to ensure the code is correct. The REAL installer of Xcode has EXACTLY that. It is a hash test to make certain the installer’s code has not been altered. Apparently, the hash test was removed from the fake Xcode copies and the silly developers who downloaded it didn’t notice. IDEALLY Apple should provide the SHA-1 hash value so developers can verify for themselves that the Xcode installer has not been fiddled.

      And YES, if the ‘Great Firewall’ is screwing over Apple developers in China with crap bandwidth from Apple, then Apple should set up a locked down mirror server within China.

    1. You are correct in that there was a similar situation back in March 2015 called the ‘dylib hijack attack’. It was unveiled in a presentation at CanSecW. It too involved Xcode, as well as other applications, that had been molested. Objective-See created a scanning application called ‘DHS’ for detecting vulnerable applications on user’s systems:

      You can read the gory details about the dylib hijack attack here:

  6. No doubt this vector was conceived on Android and then applied to Apple. When will they mention a full list of compromised Android apps?

    WeChat, probably the biggest trophy for the hackers, wasn’t just used in China, it has a global reach.

    Part of the problem, why would large corporations download Xcode from a digital locker. It would be like Facebook or Google, chooses to download it’s coding tools from DropBox or MegaDownloads. This is the most ridiculous.

    Now we get to read negative blog posts about Apple, as they try it hit whore.

  7. Let me see if I have this right:

    1) The App Store was *not* hacked, as they said on the morning news.
    2) The malicious code came from a version of Xcode *not* provided by Apple, likely unbeknownst to the developer.
    3) The malicious Xcode was downloaded from a site that is *not* an Apple developer site, in this case knowingly by the developer.
    4) The otherwise innocuous looking apps were approved for the App Store in the usual process. The malicious code was not detected because Xcode was not supposed to do this in the first place, and if a genuine version had been used, from a genuine download site, we wouldn’t even be discussing this.

    Is my understanding correct?

    1. This depends upon your definition of “hacked.” These perpetrators were indeed able to get malicious code — and a *lot* of it — into the App Store. That sounds like “hacked” to me.

      1. “Hacked” generally (always?) means that something was forced in, not done through normal channels. The term “backdoor” was even used in this morning’s news on TV, which appears to be completely false. The malicious code walked in through the front door. It wasn’t snuck in; it was uploaded and approved through completely normal channels. That is not hacking the App Store. If you want to call modifying Apples Xcode “hacking”, then I *might* accept that. But in reality, it wasn’t either. It was modified outside of Apple’s control. To call it hacked would say that the version Apple was providing on its website was modified by the perpetrators, which is not the case. Anything done through proper Apple channels was/is still secure.

        Computers. modify (a computer program or electronic device) or write (a program) in a skillful or clever way: Developers have hacked the app. circumvent security and break into (a network, computer, file, etc.), usually with malicious intent: Criminals hacked the bank’s servers yesterday.

        My understanding: They didn’t modify the App Store itself. They didn’t circumvent security into the App Store. They didn’t break in. The App Store wasn’t hacked.

  8. “The infected apps CAN transmit . . .”

    Enough with what the apps (which are no longer available on Apple’s app store) could have done. The question is, what do they do?

    I CAN get into my car and run someone over, but I’m not going to.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.