Apple: Developers Shut Off GateKeeper to Install Counterfeit Xcode

| News

Apple has a list of the top 25 iPhone and iPad apps infected with XcodeGhost, and an explanation for how counterfeit versions of its Xcode tools were installed: developers in China intentionally shut off OS X's Gatekeeper feature. Without Gatekeeper running, there wasn't a failsafe in place to alert developers that they installed malware on their own computers.

Apple says developers shut of OS X's security failsafe before installing malware-loaded XcodeApple says developers shut of OS X's security failsafe before installing malware-loaded Xcode

XcodeGhost is malware that iOS developers in China inadvertently included in their iPhone and iPad apps. Apple began pulling the titles from the App Store last week after the malware was discovered, and then said it would start hosting its Xcode installers on local servers in China.

Some coders in China had turned to local sources for Apple's developer tools because downloading from Apple was a painfully slow process thanks to China's efforts to restrict Internet access outside of the country.

Apple included the list of apps in a XcodeGhost FAQ on its website. Here's the list as of Thursday, September 24:

  • WeChat
  • DiDi Taxi
  • 58 Classified - Job, Used Cars, Rent
  • Gaode Map - Driving and Public Transportation
  • Railroad 12306
  • Flush
  • China Unicom Customer Service (Official Version)
  • CarrotFantasy 2: Daily Battle
  • Miraculous Warmth
  • Call Me MT 2 - Multi-server version
  • Angry Bird 2 - Yifeng Li's Favorite
  • Baidu Music - A Music Player that has Downloads, Ringtones, Music Videos, Radio, and Karaoke
  • DuoDuo Ringtone
  • NetEase Music - An Essential for Radio and Song Download
  • Foreign Harbor - The Hottest Platform for Oversea Shopping
  • Battle of Freedom (The MOBA mobile game)
  • One Piece - Embark (Officially Authorized)
  • Let's Cook - Receipes
  • Heroes of Order & Chaos - Multiplayer Online Game
  • Dark Dawn - Under the Icing City (the first mobile game sponsored by Fan BingBing)
  • I Like Being With You
  • Himalaya FM (Audio Book Community)
  • CarrotFantasy
  • Flush HD
  • Encounter - Local Chatting Tool

The apps on the list have either been updated to so they're XcodeGhost-free, or have been pulled from the App Store. According to Apple, the malware was capable of collecting general system information and general app information. Personal data wasn't being harvested.

Apple's take on how XcodeGhost was able to get by OS X's security measures is interesting because the company says it shouldn't have happened. According to Apple,

Apple incorporates technologies like Gatekeeper expressly to prevent non-App Store and/or unsigned versions of programs, including Xcode, from being installed. Those protections had to have been deliberately disabled by the developer for something like XcodeGhost to successfully install.

That means some developers in China intentionally turned off Gatekeeper so they could install Apple's coding tools after downloading them from non-Apple sources.

Now we know how counterfeit versions of Xcode were installed, but what we don't know is why the infected iOS apps slipped through Apple's screening process. So far, Apple is staying tight lipped on the subject.

The Mac Observer Spin The Mac Observer Spin is how we show you what our authors think about a news story at quick glance. Read More →

Developers downloaded Xcode from non-Apple servers and disabled Gatekeeper. How could they not expect to be writing malware-laden apps? Still, that doesn't let Apple off the hook for failing to catch the infected titles.

Popular TMO Stories



Apple should go midevil on these morons. Drop them as registered developers. Don’t accept their apps. Purge the ones that are already there. Maybe Apple has been a bit naive by trusting the developers to do the right thing. But I don’t think it’s too much to ask for basic code hygiene.


Hmmm, I wonder if Apple could add a self check to Xcode, if Xcode is modified it can’t compile apps. On the other hand, how stupid can you be to disable Gatekeeper permanently!!


Basically you are blaming Apple for not thinking a few developers might be moronic in going around their safeguards - how do you out-think the incredibly stupid. you can’t. It’s like people who jailbreak their phones just so they can change the UI and then whine when they download malware. Or people who sue you for hurting themselves while trying to rob you. But look at the end of the day, they couldn’t get around apple’s second layer of security to send out personal info, the info they grabbed coule pretty much be found at appAnnie reports. This is not exactly like the stolen fingerprint DB ...

Graham McKay

Not having anything to do with the developer program I don’t know how the screening process works for submitted apps. But if they are in a compiled format it must be quite hard to to run checks for embedded malware. So presumably those checks have made an assumption about code tagged as being directly from Xcode.

Nobody should be claiming the App Store (aka walled garden) approach is impenetrable to malware - the best we can say is that it’s a lot (lot lot) better than trying to guess which web sites have “clean” apps!

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account