Skip to main content

Hundreds of apps infected by fake Xcode tools, Apple removing known malicious software from App Store

Apple has admitted that it is App Store integrity was compromised as apps were secretly infected by fake Xcode tools before submission to the App Store. The company has now officially acknowledged the problem and is now removing apps affected by this ‘hack’ from the App Store.

Developers were inadvertently submitting malware by using counterfeit versions of Xcode, Apple’s development software, to submit apps. The fake Xcode, dubbed XcodeGhost, would inject malicious code into otherwise-legitimate apps during the submission process.

Apple provided the following statement to Reuters:

“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple spokeswoman Christine Monaghan said in an email. “We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”

The hackers were somehow convinced developers to use its version of the Xcode tools rather than Apple’s official software (which is available to download for free on the Mac App Store). One theory is that Apple’s servers are slow to download from in China, so developers used this alternative ‘mirror’ (unaware of its true credibility) download for convenience and speed.

Affected apps included versions of WeChat, a very popular messaging app in China. One Chinese security firm said it found 344 apps infected by XcodeGhost but Apple declined to confirm the number. Apps built with XcodeGhost will secretly send device information back to the hackers as well as initiate phishing attacks for more sensitive user credentials.

Most of the apps impacted are targeted at the Chinese market but some, like WeChat, have international appeal. iPhone and iPad users should update their apps immediately to ensure they are on the latest version. It is also good practice to change your iCloud and other account passwords, in case you have accidentally fell victim to one of these phishing attempts.

Update: WeChat reached out to inform us that WeChat version 6.2.6 and later is not affected by the XcodeGhost vulnerability. You can download the latest (clean) version of the app from the App Store now. You can read their full statement on their blog.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. Steve32 - 9 years ago

    Why would anyone download Xcode from some random website when Apple offers it for free? I think the developers should be fined in the future if they make silly decisions like this.

    • I totally agree with you. Why the heck would somebody go and download an app from a bad website, when the real version is free! It’s the developers fault. They should be kicked off the app store!

      • jiangjie (@Bungyto) - 9 years ago

        i agree with you that developers should be to blame, but APPLE is also responsible of offering faster network access from china mainland to itunesconnect.com and developer.apple.com

    • nerdafk - 9 years ago

      Because the stupid Chinese Communist Party has made internet speed painfully slow if you try to download Xcode directly from Apple server.

      • rogifan - 9 years ago

        That’s no excuse.

    • cc (@ccinuse) - 9 years ago

      Because everyone, include the developer who downloaded the compromised Xcode, believed that the DMG file have some CheckSum method to insure the Apps are singed — There is GateKeeper in OS X, which designed to protect them from unsigned binary.

  2. standardpull - 9 years ago

    I can see ignorant users being duped into downloading, installing, and running application software from an unknown source. End users are ignorant, and are easily tricked by social networking methods. The old “install this cool app from this cool web site” fools millions of kids every day.

    But to fool DEVELOPERS? That is unthinkable. Developers are supposed to be smart enough to use only trusted, signed, and validated tools. And they’re supposed to work in an controlled and secured environment. For developers to install and use a fake code development platform is unthinkable. Any developer using such tools are, in a word, inept. And that would include the management that produced WeChat.

    • myke2241 - 9 years ago

      I think the devs that used these fake tools should be publicly confronted. I think this is a matter of common sense and tif these devs can’t demonstrate the ability to make reasonable decisions we honestly should avoid them.

  3. Iven Tenz (@ivenalot) - 9 years ago

    I’d understand if Apple charges 39.99$ for Xcode to buy on the Mac App Store, but it’s for FREE! Why would you use a Torrent or Mirror?

  4. Metl Mann - 9 years ago

    So what about the apps that are already on phones and pads? How do those get removed?

  5. elilabes - 9 years ago

    As a developer myself and living in New Zealand where our ISP is well shit… i can understand slow downloads from apples servers but i would never build any production app on such software and especially not a public release build. Its common sense and i don’t understand how a company like WeChat fell victim. Yes sometimes downloads are slow, but you need to deal with it.

  6. Dan Uff - 9 years ago

    I think Apple should suspend those developers that offered said Malware if they know who used the offending Xcode.

  7. sardonick - 9 years ago

    Now if you could just stop the chinese prats from creating dozens of fake names and selling the same software with different descriptions and price points, that might clean things up a bit too. Then again, you couldn’t tell everyone how many apps you have, cuz you’d have to recount and be honest.

  8. mytawalbeh - 9 years ago

    How could they (supposed to be smart) download Xcode from mirror source instead of the App store Free! for just saving a couple of hours or minutes !? excuse me but this is Stupid fool behavior.

  9. This is why we need to stop using Chinese made apps. Like WeChat. Their apps have been targets of recent malware attacks and now it shows just how careless Chinese devs are. For all we know, China’s Communist Party is listening in from all these communications apps people use.

  10. This is why we need to stop using Chinese made apps. Like WeChat. Their apps have been targets of recent malware attacks and now it shows just how careless Chinese devs are. For all we know, CCP is listening in from all these communications apps people use.

  11. mahmudf2014 - 9 years ago

    Why don’t you blame Apple? These developers’ intention could’ve been different. They could’ve wanted to put these malwares to users’ phone. Apple should have rejected these apps. We’re using iOS to protect ourselves without doing anything. So this is not looking good. On the other hand, this is developer’s fault but how could a user know this? We trust Apple becuse they check every single app for malware and use of private API’s or things like that. So the user can’t know if the developer uses the right or the wrong tools to develop an app or uses the right APIs. the only thing a user can do is to trust Apple. How did apps pass the strict control of Apple? This question is the only thing that matters.

    • tush4r - 9 years ago

      Agree,

      But don’t rely much on it. Apple App testing is entirely autonomous, and I can recall an incident where an application was approved for the App Store but was freezing on the user devices.

  12. tush4r - 9 years ago

    A whole lot of demotivation for the developers. If you say that it is only the fault of developers, then you are wrong. We aren’t Gods, but humans, and humans do mistake. The end-user is always complaining about a feature, bug, and what not even in a free app. Also, whenever they fell for a hacking trap, security/product companies are blamed but not their common sense that lured them into becoming a victim. Tell me, would you call a bank’s website security weak when you yourself made the credentials public?
    We talk about privacy/security all the time, but rarely anyone takes them seriously. Non-techs, there is a big world you aren’t even aware of.

    Sorry for the language, these comments made me go mad because we people work really hard to produce an app.

  13. Rocwurst (@Rocwurst) - 9 years ago

    344 apps were affected but thanks to iOS’s industry-leading sandboxing and security architecture, no financial or other serious consequences are known to have befallen those who installed them.

    Contrast this with the 65,557 malicious strains of malware that infected 32 million hapless Android users in 2012 alone siphoning hundreds of millions of dollars from thier accounts, turning their phones into zombie premium texters etc. Not to mention the 950 million Android devices around the world affected by the devastating Stagefright vulnerability requiring only a simple MMS message to exploit.

    Xcodeghost is regretable, but pretty small cheese in the world of malware.

    • Tony Ko - 8 years ago

      You probably only read 9to5mac for your information. From what I see, those Play Store apps that have “malware” in them are not exploiting any sort of security exploit, but rather, uses USER permission after being shown a permissions page, to ‘infect’. You can also bring up the 100k Jailbreak identity thefts not too long ago. But you probably have an excuse for them?

      Not to mention ASLR (memory Address Space Layout Randomization) in Android 4.1+, effectively makes stagefright compilations a per unique device per compile exploit.

      Not to mention, there are no public infections of Stagefright.

      Not to mention, ‘siphoning hundreds of millions of dollars from their accounts’ is pure bullshit. Identity information was stolen.

      :/

  14. degraevesofie - 9 years ago

    “The hackers were somehow convinced developers to use …” : extraneous “were”?

  15. Mark Granger - 9 years ago

    What the heck happened to code signing? How can a fake version of XCode even exist? The real story here is that there has been a very serious security violation of Apple’s secret code signing keys. Part of the code signing should include the code signing for XCode. That way if XCode is modified and the key does not match the version of XCode that was used and agree with the one on Apple’s servers, you cannot upload an app to iTunes Connect.

  16. Pedro Coimbra - 9 years ago

    Although the major offence was done by external people not knowing better, -developers of all people!- , there are 2 questions that should be asked to Apple:

    1. How did the hackers manage to reverse engineer not an app, but an entire developer kit; and if they didn’t, then they got hold of the source code, and again, how the hell did they do that?

    2. Doesn’t Apple checks and tests all apps before aproving them to the app store? How did those corrupetd apps got through?

  17. lookats (@lookats_) - 9 years ago

    They should have been banned for 5 years from the app store, this is so silly why do you go downloading Xcode from a third party website ? i don’t think it was an accident

  18. abhikhatri391 - 9 years ago

    That’s totally nuts, I don’t how devs can take that much risk :P

  19. escaperout3 - 9 years ago

    I wonder if part of it is because Apple restricts beta versions of Xcode to paying dev’s. Some people that might want to try making apps for iOS 9 could’ve downloaded Xcode beta to start writing an app, then when they noticed that it made sense they paid the $99 to release but used the same old Xcode that was infected. Otherwise yeah I agree it doesn’t make sense to not download from Apple

Author

Avatar for Benjamin Mayo Benjamin Mayo

Benjamin develops iOS apps professionally and covers Apple news and rumors for 9to5Mac. Listen to Benjamin, every week, on the Happy Hour podcast. Check out his personal blog. Message Benjamin over email or Twitter.