iOS App Store flat

Apple has admitted that it is App Store integrity was compromised as apps were secretly infected by fake Xcode tools before submission to the App Store. The company has now officially acknowledged the problem and is now removing apps affected by this ‘hack’ from the App Store.

Developers were inadvertently submitting malware by using counterfeit versions of Xcode, Apple’s development software, to submit apps. The fake Xcode, dubbed XcodeGhost, would inject malicious code into otherwise-legitimate apps during the submission process.

Apple provided the following statement to Reuters:

“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple spokeswoman Christine Monaghan said in an email. “We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”

The hackers were somehow convinced developers to use its version of the Xcode tools rather than Apple’s official software (which is available to download for free on the Mac App Store). One theory is that Apple’s servers are slow to download from in China, so developers used this alternative ‘mirror’ (unaware of its true credibility) download for convenience and speed.

Affected apps included versions of WeChat, a very popular messaging app in China. One Chinese security firm said it found 344 apps infected by XcodeGhost but Apple declined to confirm the number. Apps built with XcodeGhost will secretly send device information back to the hackers as well as initiate phishing attacks for more sensitive user credentials.

Most of the apps impacted are targeted at the Chinese market but some, like WeChat, have international appeal. iPhone and iPad users should update their apps immediately to ensure they are on the latest version. It is also good practice to change your iCloud and other account passwords, in case you have accidentally fell victim to one of these phishing attempts.

Update: WeChat reached out to inform us that WeChat version 6.2.6 and later is not affected by the XcodeGhost vulnerability. You can download the latest (clean) version of the app from the App Store now. You can read their full statement on their blog.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Benjamin Mayo

Benjamin develops iOS apps professionally and covers Apple news and rumors for 9to5Mac. Listen to Benjamin, every week, on the Happy Hour podcast. Check out his personal blog. Message Benjamin over email or Twitter.