XcodeGhost Malware Infected 100+ Million iOS Users and Apple Said Nothing

Posted on by

Apple has long touted the apparent invulnerability of iOS devices to malware, and, overall, the platform is secure compared to others. However, an obscure malware that was found in 2015, and said at the time to have affected a few dozen apps, turns out to have had the potential to impact hundreds of millions of users. XcodeGhost, discovered in September 2015, spread through altered copies of Apple’s Xcode development environment, and, when iOS apps were compiled, third-party code was injected into those apps. Users downloaded infected apps from the iOS App Store, and more than 100 million users were affected.

Most of these apps were developed in China, and it is thought that people downloaded these compromised versions of Xcode because it was "faster to download than the free, official version on Apple’s App Store."

Documents revealed as part of the current trial of Fortnite vs. Apple show that in fact 128 million users downloaded the more than 2,500 infected apps, about two thirds of these in China. Popular apps such as WeChat, Didi Chuxing, and Angry Birds 2, among others, were infected by XcodeGhost.

The modified version of Xcode allowed the malware creators to add backdoors and surveillance software into apps. This software was then managed by command and control servers, and it could read and write data to and from the pasteboard on infected devices, and hijack certain URLs, leading victims to phishing websites.

Apple published an FAQ on its China website shortly after the discovery of XcodeGhost. It is no longer on the site, but an archived version is available here. One version of this FAQ, as reported by MacRumors on September 20, said that:

Customers will be receiving more information letting them know if they’ve downloaded an app/apps that could have been compromised. Once a developer updates their app, that will fix the issue on the user’s device once they apply that update.

However, archived versions of the page begin on September 25, 2015, so Apple seems to have quickly removed that statement about contacting users. As quoted by Vice, Apple was indeed considering contacting the 128 million users to notify them about the malware, but felt that this was difficult to do. Matt Fischer, then vice president for the App Store, wrote in a email, "Note that this will pose some challenges in terms of language localizations of the email, since the downloads of these apps took place in a wide variety of App Store storefronts around the world."

It’s hard to imagine that because of the need to localize an email, Apple would have decided not to alert more than 100 million iOS users who they know had downloaded infected apps. Apple routinely localizes documents for all the languages in which they sell apps, and this would have been a question of a couple of hours of work for each language. Granted, there are a lot of languages, but Apple has a robust team of translators to do this type of work.

Fischer also commented on the time this mailing would take. "…we would likely have to spend up to a week sending these messages, so after localizing the emails (which will take several days) we’ll need at least a week for the send…" Deciding not to contact users because it would take at least a week to send emails seems like the wrong way to approach an issue like this, especially because the press would pick up on the information immediately, and relay it to users, who could then download clean copies of the apps.

Apple has long claimed – and rightly so – that iOS is very secure, so this decision to not notify more than 100 million users about potential security issues seems to have more to do with protecting the platform’s reputation than helping users stay safe. While the payload added to iOS apps turned out to not be very sophisticated, and, while Apple claimed that "We’re not aware of personally identifiable customer data being impacted and the code also did not have the ability to request customer credentials to gain iCloud and other service passwords," the extent of this malware raises many questions about Apple’s decision to not contact affected users.


How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

We discussed XcodeGhost malware and more in episode 187 of the Intego Mac Podcast.

You can also subscribe to our e-mail newsletter and keep an eye here on Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Facebook, Instagram, Twitter, and YouTube.

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →