Legitimate Chinese developers used compromised Xcode that infected hundreds of apps capable of leaking personal information to hackers.

  • Apple confirms it is in the process of removing “XcodeGhost” code embedded in hundreds of Chinese developed apps.
  • Hackers cloned counterfeit version of Apple’s software for building iOS apps, then persuaded developers to use it.
  • Hardly anyone cracks an “Apple eats humble pie” pun as the headline.
    • Millions wonder why.

apple logo

In what has been widely reported, and widely believed, to be the first successful major attack on Apple’s App Store, Apple has been forced to remove over 300 infected hidden malware apps in quick succession from its Chinese App Store. The Apps began to be removed on Sunday night in direct response to alarm bells that had been raised by several Cyber and Antivirus security companies.

Apple moved fast to remove and contain the damage caused by the malicious XcodeGhost code that had been embedded in scores of legitimate apps. It is feared however that  significant damage may already have been done.

The XcodeGhost code was reported as being included in several very popular iOS apps. The Chinese version of Angry Birds 2, version 6.2.5 of WeChat, CamScanner, and a music download app developed by NetEase, were just 4 of the apps found to contain code that was flagged as containing malware by one security firm. The 300 or so affected apps had potentially been “downloaded by hundreds of millions of iPhone and iPad users,” by the time it was discovered. The Apps affected were apparently those primarily written and released in China itself.

What is XcodeGhost.

XcodeGhost is pretty much what you’d expect: It’s malicious code hidden within legitimate code that when activated tried to turn iPhones, iPads and several other iOS devices into part of a global information gathering botnet capable of stealing both standard and personal information from users.

Apple’s high standards

The news should trouble Apple consumers as Apple spends significant resources, time, and revenue checking and approving each and every submission to its App Stores worldwide.  Apple’s security testers completely missed the threat, and that should come as both  a surprise, and a warning to consumers. The Apple Store is supposed to act like a walled garden against malware, making it virtually impossible for suspicious or poor quality software to get  through the vetting process. Previous to this attack, only a handful of malicious apps have manged to work their way into the store, in an environment where even legitimate apps have a hard time getting in.

So how did this happen then?

Legitimate Apple iOS developers are supposed to use Apple’s official programming tool, known as Xcode. Apps written with this code are not affected by the attack. The problem, according to the Guardian, lies in the fact that Chinese authorities’ censorship of the web means that Chinese iOS developers find it difficult and time consuming to download the Xcode from Apple’s international download servers. The latest version of Xcode, Xcode 7.1 is just under 5 gigabytes in size, so Chinese developers went looking for alternative sources internally in China to get their hands on it.

At least one of these alternative versions of Xcode 7.1 had the original XcodeGhost embedded within it. According to several tech websites, developers had to bypass several warnings from the Apple Security feature known as “Gatekeeper,” to use the infected Xcode.

That Apple’s much vaunted Gatekeeper warnings, and their own security testers failed to connect the dots will no doubt feature in Apple’s own internal investigations, as to just how simple it was to compromise the App Store.