How malware-ridden apps snuck onto Apple’s App Store

Apple’s notoriously strict App Store approval process has served the company well in the past and kept the shop relatively safe from malicious apps as well as security and privacy woes. That changed over the weekend, when the digital storefront suffered a huge dent in its armored walls, but before you conjure up images of hackers breaching Apple’s servers and embedding apps with bad code, it’s important to fully understand how it all went down.

What is it?

The malware that was discovered in dozens of iOS apps is called XcodeGhost. Much of how it actually functions once it’s inside your iPhone or iPad isn’t exactly clear, but according to security firm Palo Alto Networks, the malware’s primary purpose is to send the user’s information to a server controlled by the attackers themselves.

How did this happen?

The first important point here is that no app in the App Store was compromised after it was already on the shop. The store itself wasn’t directly breached by any party, and the apps that were affected by the XcodeGhost malware were actually already infected before they were submitted to Apple for approval.

The attack itself actually began with compromised versions of the iOS development software, called Xcode. The hackers seeded out unofficial builds of the software with the hopes that developers would be fooled into downloading them from unverified sources, and that’s exactly what happened.

Many developers unwitting downloaded the infected versions of Xcode, built apps, and then submitted them. The malicious development software added the malware to the apps before submission, and neither the developer nor Apple was able to spot it before publishing the affected apps on the store.

How serious is it?

At this point, it’s hard to tell. The majority of affected apps originated in China, including the extremely popular WeChat messaging app. Right now, there’s no way of knowing exactly how much information the malware was able to gather before it was discovered, so the true scope of the attack may not be fully grasped for weeks. At present, Apple is pulling all affected apps from the store entirely. 

Who is to blame?

Two things had to happen for this attack to take place: Developers had to download an unofficial copy of Xcode—which is obviously a horrible idea—and Apple had to miss the malware when approving the app for sale on its store.

Many have suggested that one reason developers, particularly in China, resorted to unofficial download sources is poor download speeds from Apple’s servers in the country. If an unofficial torrent or shady website host is several times faster than Apple’s own freely available Xcode download source, the desire for convenience may have cost the affected developers dearly.

Apple’s “walled garden” of apps has been the subject of both criticism and praise, but in this particular instance it simply wasn’t walled enough.

What apps were affected?

Here’s the full list of affected apps as of right now:

• ?????  2.8.3

• ??  6.2.5

• ?????  5.1.1463

• ????  4.0.0.6-4.0.0.0

• ????  3.9.7.1 – 3.9.7

• ??12306  4.5

• ???  4.3.2

• 51????  5.0.1

• ????????  3.3.12

• ?????????  3.2

• ????  7.3.8

• ??  2.9.1

• ??  1.8.0

• Lifesmart  1.0.44

• ?????  4.2.8

• ????  1.1.0

• ???  1.12.1

• ????  4.3.8

• ????  1.6.0

• ???  9.60.01

• ?????  7.73

• ????

• ????

• ????

• CamScanner

• CamCard

• SegmentFault  2.8

• ?????

• ????

• ???

• ????

• OPlayer  2.1.05

• ???????  3.6.5

• ?????2 2.1.1

• ?????  1.2

• ??  6.6.6

• ??MT  5.0.1

• ??MT 2  1.10.5

• ????  1.1.0

• Mercury

• WinZip

• Musical.ly

• PDFReader

• guaji_gangtai en

• Perfect365

• ?????

• PDFReader Free

• WhiteTile

• IHexin

• WinZip Standard

• MoreLikers2

• CamScanner Lite

• MobileTicket

• iVMS-4500

• OPlayer Lite

• QYER

• golfsense

• ???

• ting

• installer

• ???

• golfsensehd

• Wallpapers10000

• CSMBP-AppStore

• ????

• MSL108

• ChinaUnicom3.x

• TinyDeal.com

• snapgrab copy

• iOBD2

• PocketScanner

• CuteCUT

• AmHexinForPad

• SuperJewelsQuest2

• air2

• InstaFollower

• CamScanner Pro

• baba

• WeLoop

• DataMonitor

• ??

• MSL070

• nice dev

• immtdchs

• OPlayer

• FlappyCircle

• ????

• BiaoQingBao

• SaveSnap

• WeChat

• Guitar Master

• jin

• WinZip Sector

• Quick Save

• CamCard

We’ll keep this list updated as more are discovered, and if you see any app on this list that you happen to have on your phone, your best bet is to delete it and then wait for the developer to announce that a clean version is up and running. 

Illustration by Max Fleishman