XCodeGhost iOS infection toll balloons from 39 to over 4,000 apps

“The number of XCodeGhost-infected iOS apps, initially pegged at 39, has ballooned to more than 4,000,” Darren Pauli reports for The Register. “‘Immediately after learning of XcodeGhost, FireEye Labs identified more than 4,000 infected apps on the App Store,’ FireEye said. ‘The malicious apps steal device and user information and send stolen data to a command and control (CnC) server [and] also accept remote commands including the ability to open URLs sent by the CnC server. These URLs can be phishing webpages for stealing credentials, or a link to an enterprise-signed malicious app that can be installed on non-jailbroken devices.'”

“A FireEye spokesman told Vulture South that many of the infected apps were owned by ‘big Chinese global brands’ such as consumer electronics, telcos, and banks,” Pauli reports. “The apps were infected after developers downloaded a copy of the Xcode iOS development tool through a file-sharing service. That package was modified to trojanise apps in a way that passed App Store security checks, and was advertised on popular developer forums as a faster source to download the 3Gb Xcode file.”

Read more in the full article here.

MacDailyNews Take: Didn’t have to happen. Happened anyway. Clean it up. Button it up. Move on.

Apple to offer domestic downloads of Xcode for developers in China – September 23, 2015
List of iOS apps infected by ‘XcodeGhost’ includes Angry Birds 2 – September 21, 2015
Apple targeted as malware generated by bogus Xcode infects China mobile apps – September 21, 2015
New Android malware strains to top 2 million by end of 2015 – July 1, 2015
Symantec: 1 in 5 Android apps is malware – April 25, 2015
Kaspersky Lab Director: Over 98% of mobile malware targets Android because it’s much, much easier to exploit than iOS – January 15, 2015
Security experts: Malware spreading to millions on Android phones – November 21, 2014
There’s practically no iOS malware, thanks to Apple’s smart control over app distribution – June 13, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013


    1. I was just facing open doors everywhere, when I told everyone I made more money on supply chain optimization. That is how I got here 🙂

      But, I must refuse any accusation regarding exaggerated behavior of myself, or even letting go over control of a company – and its customers of course- I love so much to represent that I hardly can not smile all the time I get attention, and that is a whole lot more since I fought for gay rights.

      Now everyone expects me to save the entire planet, if possible by tomorrow?!

      You cannot imagine how many deeply touching and very sad emails I got everyday… How am I supposed to do all of that?

      Your recommendations are welcome. I am literally sitting on the biggest pile of money a company has ever accumulated in history of this planet I am expected to save.

      But how do work this? How can money buy me … yeah what actually?

      How do I start to save anything that is worth, except for money?

      Not only for gay people, I promise.

    2. Are you Chinese? Live in China and get service through a Chinese telecom? No? Then you have nothing to worry about. If you downloaded apps via the Chinese App Store..then worry. How explicit so these articles have to be for people to “get” that this is limited to China??

      1. Sadly you are sooooooo wrong! Winzip is a Canadian app that was affected. WeChat is also compromised as well as others. Now we have an unsubstantiated report that the list could top 4000. Apple is silent. Do something about it.

        1. Any apps in the US App Store? No? Was it really faster for a dev in Canada to download the dev tools from a server in China? I can (almost) understand why Chinese developers went the easy route, but not anyone outside of China. Apple should ban these developers (outside of China) ..especially since they broke some rules. Downloading anything from a Chinese server is like screwing a blistered prostitute without a condom.

          1. Do I look like Kreskin to you? How in the hell am I supposed to know? Or how are you supposed to know?

            What I do do know is that Apple is saying nothing and letting every little Internet news rag speculate what’s going on. If my personal information, including credit cards have been compromised, I want to know!

            1. I understand, and this is not ok. However, it does sound like this is “mostly” limited to the Chinese App Store. I would rather Apple, or any company, to wait till they have info before they dump details without understanding the situation. Media outlets don’t have that burden, apparently, and can just lay it out as they get the info..correct or not… If you are in the us App Store, there is no info that you should worry. If you are concerned, email the app developers for installed apps on your iOS devices. Panicking and jumping to conclusions without info is toxic.

        2. It’s the Chinese version of WinZip, and no, Apple is not silent. They’ve stated they’re removing the offending Apps wherever they’re found and assisting the developers of the offending apps to post clean replacements.

          These are STILL apps for the most part on the Chinese App Store.

      1. I just went ahead and uninstalled anything that I know has poor English translations, or are developed by no name companies, or look like they probably aren’t developed in the US, just to be on the safe side (these were mostly games, I reduced my games folder from 4 pages to 1 page). Since Apple has removed the malicious apps, I then went into my purchased apps list and reinstalled the stuff I really wanted (but not too much), figuring they’ve already been checked.

    1. Apple had no officially sanctioned servers in China that hosted the XCode developer environment. Downloading the IDE from Apple’s servers in the U.S. could take HOURS. Thus several developers went to “alternative hosting sites” within China that claimed to have the full XCode IDE. The downloads from those sites were *significantly* faster.

      Apple has just recently (last couple of days) stated they will setup an Apple approved hosting site for the XCode IDE (and related stuff) in China. This removes any excuse for anyone using unofficial sites. Apple will likely have to do the same thing in Europe and South America.

        1. You are missing the point.

          This affects all of the iOS users !

          That has never been the case before.

          And Apple will not be the first company that will be honest about the risks that its customers face now.

          It is a shame how the pure greed ruined a legacy so outstanding, after Bugsemite compromised the security reputation of Mac OS X we have the same issues with iOS, and Apple Pay is not amused, believe it or not.

          Quality compromised. All fucked up. Shit.

          Do you expect this CEO to explain it on stage?

          He is not that kind of guy. He is just the money guy. Not the one who really cares. But wait and see. I hope I am wrong.

      1. Hours? big deal. Set the download to work overnight and in the morning it will be done.
        Still why apple don’t have servers in China is crazy.
        Apple should only allow Dev software to run if it is verified. They are asking for trouble.

        1. If Apple has any servers in China, then everything on them is the property of the Party. That’s a requirement of setting up business there. There is no such thing as propriety in China.

          1. My company does business in China – heck, I’ve been there something like 16 times in the last few years. And I can tell you as a fact that your “property of the Party” comment is utter BS. Get your head out of the 1970s and wake up to the new realities in China and elsewhere in the world.

      2. Oh my. gosh…it could have taken developers HOURS to download the legitimate Xcode IDE from Apple?! Sure, why not throw caution to the wind and jeopardize the security of your future clients by saving a little time and going to a third party site.

        Those developers should be banned from the App Store for incurable stupidity.

    1. Take anything (and I do mean *anything*!) posted about Apple by The Register with a grain of salt so large it will take a 100 ton crane to lift it. There is often, but NOT always, a tiny, tiny bit of truth in any reporting they do about Apple.

      I’ve had a running battle with The Register for over a dozen years about their gross inaccuracies in their reporting about Apple. The “reporters” (using the term extremely loosely) from The Register have been one of the few groups that have been given a blanket ban on attending Apple’s special events — and that ban has been in place for many years. Why? Because of their grossly inaccurate reporting about Apple and Apple’s doings.

      So… don’t believe the 4,000 number until Apple says it.

    2. MDN does not have an accurate list. NO ONE does.

      I’m 100% certain Apple is carefully creating a list. The real question is whether Apple will report this to customers.

      As I posted on this site before, Apple should do what amounts to a “recall” for the infected Apps. Apple knows who downloaded what. They can send out an email to any and all persons who downloaded infected software and allow them to update to a non infected version FOR FREE (and maybe charge the developer the 30% Apple might lose on any upgrades that might have been paid for otherwise).

      1. It’s as if Apple is trying to downplay this because I can’t seem to see anything official on the Apple site. What are they afraid of? A stock slide?

        It’s money that got them into this mess by not having proper servers set up in a HUGE market for them. Was it cheapskate bean counters or just Eddie in a brain fog with glazed over faraway eyes?

        I’ve been a fireground commander for over twenty years and have managed some very big, fluid scenes. I make my PIO (Public Information Officer) very available and I keep him well informed. My scribe is attached to my hip and updates frequently. Get to the heart of crisis and mitigate it!!!!! No excuses Apple. You have far more resources than me.

  1. I’m a big Apple fan and I know that the developers did the wrong thing and there are evil malefactors behind the Xcode ghost

    for Apple who takes thousands of apps from Chinese developers to be NOT AWARE of SITES giving out Xcode ghost is inexcusable. That means they are so not in touch with the heartbeat of their developers. Hundreds of Developers hear about and download XGhost and yet Apple is not aware of it? . They are not in tune with the developer grapevine at all. Some manager or the whole team in the Chinese app store should be fired yesterday.

  2. WHY has none of these comments touched on what the end users need to do. Is there a test for the app we have down loaded or are we just s..t-out-of-luck and hope nothing goes wrong. And as to full Disclosure by Apple…dont hold your breath I’m afraid.

    1. The days of Apple giving a shit, died with Steve Jobs. This is the symbol of Tim “Apple Ballmer” Cook’s Apple, incompetence, glitches, half baked, non tested, overpriced garbage. Apparently all Apple can do these days, is copy android and surface. The thing about copies, is they are never as good as the original. The sooner the board fires Cook and Ive, the better.

  3. This is exactly why Apple needs to close the loop on which software can be used to develop for iOS. Remember all the fits Adobe threw when they made a new software for developing apps and Apple said “no, eff you, can’t use it.” This is why! They need to tighten it up even further.

    1. The problem is you can download Xcode from the App Store, or you can download it from the developer website. They need to lock it down to only the App Store and verify the app is coming from an authenticated App Store version of Xcode.

  4. What is the possibility that Samsung or some other Apple enemy discovered this loophole?

    Then they craft a plan to create infected apps by the thousands, hoping to tarnish Apple’s “closed garden”. Not very far fetched at all.

    1. Yeah, it was those evil android companies. Or better yet, it was Tim “the steward” Cook’s incompetence and apathy that is driving Apple into the ground. Given those two choices, the answer is obvious. The board should have fired Cook and Ive years ago.

  5. So should they have fired Tim & Ive after the iPhone 5s record sales or after the iPhone 6 & 6 Plus RECORD sales?

    I can’t decide which event is more deserving of firing them. /s

    Go back to your bridge troll boy.

  6. Reposting what I wrote at The Register:

    It’s China, Stupid

    The more rigorous testing regime required before an iOS app can be published has always been considered to be the reason for this difference, but in this case it seems to have fallen short.

    Every Apple developer knows the two, and only two, sources for downloading Xcode. Any developer with any sense of software security knows that WAREZ versions of anything are entirely capable of being malware vectors. That is nothing new. Back in early 2009, WAREZ versions of Mac apps were implicated in a Mac botnet of hundreds of thousands (as many as 600,000) Macs.

    The way it should have gone down was:
    – Developers in China inform Apple that The Great Firewall Of China screws them over every day with crap for bandwidth.
    – Apple should have responded by providing software servers inside China, subverting any motivation to download WAREZ versions of Xcode.
    – The End.

    That didn’t happen then; At least it’s happened now. Apple meanwhile has to thrash through the iOS store to find every app infected with XcodeGhost malware. It’s going to take awhile. This new number of 4,000 apps is mind-boggling.

    Should this incident be compared to the rat’s nest of security holes and malware that are the default of all things Android? OF COURSE NOT. Try not to look so desperate to bash Apple, please.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.