Apple has admitted that it is App Store integrity was compromised as apps were secretly infected by fake Xcode tools before submission to the App Store. The company has now officially acknowledged the problem and is now removing apps affected by this ‘hack’ from the App Store.
Developers were inadvertently submitting malware by using counterfeit versions of Xcode, Apple’s development software, to submit apps. The fake Xcode, dubbed XcodeGhost, would inject malicious code into otherwise-legitimate apps during the submission process.
Apple provided the following statement to Reuters:
“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple spokeswoman Christine Monaghan said in an email. “We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”
The hackers were somehow convinced developers to use its version of the Xcode tools rather than Apple’s official software (which is available to download for free on the Mac App Store). One theory is that Apple’s servers are slow to download from in China, so developers used this alternative ‘mirror’ (unaware of its true credibility) download for convenience and speed.
Affected apps included versions of WeChat, a very popular messaging app in China. One Chinese security firm said it found 344 apps infected by XcodeGhost but Apple declined to confirm the number. Apps built with XcodeGhost will secretly send device information back to the hackers as well as initiate phishing attacks for more sensitive user credentials.
Most of the apps impacted are targeted at the Chinese market but some, like WeChat, have international appeal. iPhone and iPad users should update their apps immediately to ensure they are on the latest version. It is also good practice to change your iCloud and other account passwords, in case you have accidentally fell victim to one of these phishing attempts.
Update: WeChat reached out to inform us that WeChat version 6.2.6 and later is not affected by the XcodeGhost vulnerability. You can download the latest (clean) version of the app from the App Store now. You can read their full statement on their blog.