Apple: Developers Shut Off GateKeeper to Install Counterfeit Xcode

Apple has a list of the top 25 iPhone and iPad apps infected with XcodeGhost, and an explanation for how counterfeit versions of its Xcode tools were installed: developers in China intentionally shut off OS X's Gatekeeper feature. Without Gatekeeper running, there wasn't a failsafe in place to alert developers that they installed malware on their own computers.

Apple says developers shut of OS X's security failsafe before installing malware-loaded XcodeApple says developers shut of OS X's security failsafe before installing malware-loaded Xcode

XcodeGhost is malware that iOS developers in China inadvertently included in their iPhone and iPad apps. Apple began pulling the titles from the App Store last week after the malware was discovered, and then said it would start hosting its Xcode installers on local servers in China.

Some coders in China had turned to local sources for Apple's developer tools because downloading from Apple was a painfully slow process thanks to China's efforts to restrict Internet access outside of the country.

Apple included the list of apps in a XcodeGhost FAQ on its website. Here's the list as of Thursday, September 24:

  • WeChat
  • DiDi Taxi
  • 58 Classified - Job, Used Cars, Rent
  • Gaode Map - Driving and Public Transportation
  • Railroad 12306
  • Flush
  • China Unicom Customer Service (Official Version)
  • CarrotFantasy 2: Daily Battle
  • Miraculous Warmth
  • Call Me MT 2 - Multi-server version
  • Angry Bird 2 - Yifeng Li's Favorite
  • Baidu Music - A Music Player that has Downloads, Ringtones, Music Videos, Radio, and Karaoke
  • DuoDuo Ringtone
  • NetEase Music - An Essential for Radio and Song Download
  • Foreign Harbor - The Hottest Platform for Oversea Shopping
  • Battle of Freedom (The MOBA mobile game)
  • One Piece - Embark (Officially Authorized)
  • Let's Cook - Receipes
  • Heroes of Order & Chaos - Multiplayer Online Game
  • Dark Dawn - Under the Icing City (the first mobile game sponsored by Fan BingBing)
  • I Like Being With You
  • Himalaya FM (Audio Book Community)
  • CarrotFantasy
  • Flush HD
  • Encounter - Local Chatting Tool

The apps on the list have either been updated to so they're XcodeGhost-free, or have been pulled from the App Store. According to Apple, the malware was capable of collecting general system information and general app information. Personal data wasn't being harvested.

Apple's take on how XcodeGhost was able to get by OS X's security measures is interesting because the company says it shouldn't have happened. According to Apple,

Apple incorporates technologies like Gatekeeper expressly to prevent non-App Store and/or unsigned versions of programs, including Xcode, from being installed. Those protections had to have been deliberately disabled by the developer for something like XcodeGhost to successfully install.

That means some developers in China intentionally turned off Gatekeeper so they could install Apple's coding tools after downloading them from non-Apple sources.

Now we know how counterfeit versions of Xcode were installed, but what we don't know is why the infected iOS apps slipped through Apple's screening process. So far, Apple is staying tight lipped on the subject.