Apple lists top 25 apps afflicted by XcodeGhost

Apple has posted an “XcodeGhost Q&A” information page:

I’ve heard about malicious apps created by XcodeGhost — what does this mean?
We always recommend developers use the free, secure tools we provide them — including Xcode — to ensure they’re creating the most secure apps for App Store customers. Some developers downloaded counterfeit versions of Xcode that have been infected with malware and created apps that were just as infected.

Apple incorporates technologies like Gatekeeper expressly to prevent non-App Store and/or unsigned versions of programs, including Xcode, from being installed. Those protections had to have been deliberately disabled by the developer for something like XcodeGhost to successfully install.

As part of providing developers the industry’s most advanced tools, Apple provides developers the following checks to ensure software is untampered:

• The Xcode app is code-signed by Apple.
• When you download Xcode from the Mac App Store the code signature for Xcode is automatically checked and validated by your system.
• When you download Xcode from the Apple Developer Program web site, the code signature for Xcode is automatically checked and validated by your system by default as long as Gatekeeper is not disabled.

Why would a developer put customers at risk by downloading counterfeit software?
Sometimes developers search for our tools on other, non-Apple sites in an effort to find faster downloads of developer tools.

We’re working to make it faster for developers in China to download Xcode betas. To verify that their version of Xcode has not been altered, they can take the following steps posted at .

How does this affect me? How do I know if my device has been compromised
We have no information to suggest that the malware has been used to do anything malicious or that this exploit would have delivered any personally identifiable information had it been used.

We’re not aware of personally identifiable customer data being impacted and the code also did not have the ability to request customer credentials to gain iCloud and other service passwords.

As soon as we recognized these apps were using potentially malicious code we took them down. Developers are quickly updating their apps for users.

Malicious code could only have been able to deliver some general information such as the apps and general system information.

Is it safe for me to download apps from App Store?
We have removed the apps from the App Store that we know have been created with this counterfeit software and are blocking submissions of new apps that contain this malware from entering the App Store.

We’re working closely with developers to get impacted apps back on the App Store as quickly as possible for customers to enjoy.

A list of the top 25 most popular apps impacted are listed below. After the top 25 impacted apps, the number of impacted users drops significantly.

If users have one of these apps, they should update the affected app which will fix the issue on the user’s device. If the app is available on App Store, it has been updated, if it isn’t available it should be updated very soon.

We will update this page with more information as it becomes available. Please check back from time to time.

• WeChat
• DiDi Taxi
• 58 Classified – Job, Used Cars, Rent
• Gaode Map – Driving and Public Transportation
• Railroad 12306
• Flush
• China Unicom Customer Service (Official Version)*
• CarrotFantasy 2: Daily Battle*
• Miraculous Warmth
• Call Me MT 2 – Multi-server version
• Angry Bird 2 – Yifeng Li’s Favorite*
• Baidu Music – A Music Player that has Downloads, Ringtones, Music Videos, Radio, and Karaoke
• DuoDuo Ringtone
• NetEase Music – An Essential for Radio and Song Download
• Foreign Harbor – The Hottest Platform for Oversea Shopping*
• Battle of Freedom (The MOBA mobile game)
• One Piece – Embark (Officially Authorized)*
• Let’s Cook – Receipes
• Heroes of Order & Chaos – Multiplayer Online Game*
• Dark Dawn – Under the Icing City (the first mobile game sponsored by Fan BingBing)*
• I Like Being With You*
• Himalaya FM (Audio Book Community)
• CarrotFantasy*
• Flush HD
• Encounter – Local Chatting Tool

* This app is currently not available on the App Store.

Source: Apple Inc.

SEE ALSO:
XCodeGhost iOS infection toll balloons from 39 to over 4,000 apps – September 23, 2015
Apple to offer domestic downloads of Xcode for developers in China – September 23, 2015
Apple targeted as malware generated by bogus Xcode infects China mobile apps – September 21, 2015
New Android malware strains to top 2 million by end of 2015 – July 1, 2015
Symantec: 1 in 5 Android apps is malware – April 25, 2015
Kaspersky Lab Director: Over 98% of mobile malware targets Android because it’s much, much easier to exploit than iOS – January 15, 2015
Security experts: Malware spreading to millions on Android phones – November 21, 2014
There’s practically no iOS malware, thanks to Apple’s smart control over app distribution – June 13, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013

17 Comments

    1. “A list of the top 25 most popular apps impacted are listed below. After the top 25 impacted apps, the number of impacted users drops significantly.”

      They clarify this. The list is longer.

    1. It’s not even Angry Birds, it’s Angry Bird (i.e. singular, no “s”) and with “Yifeng Li’s Favorite” in the name. Since we can’t actually look up that app now, it sounds like it’s a clone at best, not even an official localized version of the app.

      1. I don’t know about the ‘Angry Bird’ knockoff. But Rovio has indeed provided a game app called ‘Angry Birds 2’, plural. It’s legitimate. Quoting 9to5 Mac:

        Rovio has advised that only the version of Angry Birds 2 in the Chinese App Store was affected.

        Only the Chinese version is infected because the Chinese language translation was performed inside China using an XcodeGhost infected version of Xcode.

        It’s going to be extremely rare that any apps developed outside of China have been infected. The fake, infected version of Xcode has only been known to have been (illegally) distributed inside China.

  1. “Why would a developer put customers at risk by downloading counterfeit software?”

    Because I got an e-mail from Nigerian Prince and he is going to send me a $1,000,000 cashier’s check this Xcode software for free after I send him a cashier’s check for $5,000, that’s why. Can’t you understand the great deal I am getting???

  2. …because in Chinese there IS no plural form… Apparently (I’m not Chinese, but have friends/colleagues who are), they use modifier words to disambiguate, and only when necessary. When not an exact number, one would say several, or many of something. For example, “Windows 95” would be Many of Window 95…

  3. From the list of top 25, it is clear to me that these are all squarely targeting the Chinese market. Without actually looking at them, I wouldn’t be surprised if all of them were Chinese. If you aren’t a Chinese speaker, the likelihood that your phone has an infected app is virtually zero.

    This incident will be the most severe black eye on Apple’s security. Until now, it was rather easy to say that there was never ANY real malware in iOS App Store, compared to Android. That is no longer the case, so we are now arguing relative impact, and arguing with Android zealots is a colossal pain.

    That reminds me of a joke that is somewhat relevant:

    A man asks a woman: “If I offer you ten million dollars in cash to spend a night with me, would you accept the offer? The woman thinks for a while and says yes. He then asks: “If I offer you $50, would you do this?” She responds: “What kind of question is that!!?? I am not a whore!!!” to which the man says: “We have already established that you are a whore when you agreed to fuck for money; we are now negotiating your price…”

    After a breach of this magnitude, we can no longer claim the absolute security; it is all now relative.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.