Tainted Xcode gets Malware onto App Store, Apps Pulled

| News

Apple has pulled a long list of iPhone and iPad apps from the App Store after discovering they contained malware that could steal personal data. The titles—including the popular WeChat— were created using versions of Xcode downloaded outside of Apple's developer site that injected the malware, dubbed XcodeGhost, into apps without developer's knowledge.

Unofficial Xcode installers led to the biggest App Store malware incident to dateUnofficial Xcode installers led to the biggest App Store malware incident to date

XcodeGhost has been found in at least 39 apps, many of which are available only in China. This is the largest malware app incident to date on the App Store.

Security research company Palo Alto Networks said developers in China were downloading Xcode from servers in the country instead of directly from Apple. Getting the app development tools from non-Apple in-country servers meant faster downloads because they could avoid the performance issues that go along with China's national firewall that blocks much of the online content available around the world.

Apple began pulling the infected apps from the App Store last week and has confirmed it is working with developers to make sure they have legit copies of Xcode. An Apple spokesperson told Reuters, "We've removed the apps from the App Store that we know have been created with this counterfeit software. We are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps.

The company has the ability to remotely disable apps, but hasn't said if that's happening in this case.

Palo Alto Networks put together a list of known infected apps:

  • WeChat
  • Didi Chuxing
  • Angry Birds 2
  • NetEase
  • Micro Channel
  • IFlyTek input
  • Railway 12306
  • The Kitchen
  • Card Safe
  • CITIC Bank move card space
  • China Unicom Mobile Office
  • High German map
  • Jane book
  • Eyes Wide
  • Lifesmart
  • Mara Mara
  • Medicine to force
  • Himalayan
  • Pocket billing
  • Flush
  • Quick asked the doctor
  • Lazy weekend
  • Microblogging camera
  • Watercress reading
  • CamScanner Lite
  • CamScanner Pro
  • CamCard
  • SegmentFault
  • Stocks open class
  • Hot stock market
  • Three new board
  • The driver drops
  • OPlayer
  • Telephone attribution assistant
  • Marital bed
  • Poor tour
  • I called MT
  • I called MT 2
  • Freedom Battle
  • Mercury
  • WinZip
  • Musical.ly
  • PDFReader
  • guaji_gangtai en
  • Perfect365
  • PDFReader Free
  • WhiteTile
  • IHexin
  • WinZip Standard
  • MoreLikers2
  • MobileTicket
  • iVMS-4500
  • OPlayer Lite
  • QYER
  • golfsense
  • golfsensehd
  • Wallpapers10000
  • CSMBP-AppStore
  • MSL108
  • ChinaUnicom3.x
  • TinyDeal.com
  • snapgrab copy
  • iOBD2
  • PocketScanner
  • CuteCUT
  • AmHexinForPad
  • SuperJewelsQuest2
  • air2
  • InstaFollower
  • baba
  • WeLoop
  • DataMonitor
  • MSL070
  • nice dev
  • immtdchs
  • OPlayer
  • FlappyCircle
  • BiaoQingBao
  • SaveSnap
  • Guitar Master
  • jin
  • WinZip Sector
  • Quick Save

Some apps have already been updated so they're malware-free, and more will be coming soon. If you have any of the potentially infected apps installed, remove them and change your Apple ID password and any other passwords you recently entered on your iOS device.

This is a big embarrassment for Apple even though developers were using unofficial versions of Xcode. The App Store vetting process is supposed to catch malware apps before they're approved for distribution, but in this case a long list of apps made it through the screening process and onto user's iPhones and iPads.

This incident may also have a silver lining of sorts: Apple has no doubt learned a lot from XcodeGhost and will use that knowledge to make the App Store screening process more secure.

The Mac Observer Spin The Mac Observer Spin is how we show you what our authors think about a news story at quick glance. Read More →

You'd think developers, of all people, would understand the importance of making sure the tools for coding apps come from safe and legit sources.

Popular TMO Stories


Lee Dronick

  You’d think developers, of all people, would understand the importance of making sure the tools for coding apps come from safe and legit sources.

From what I understand they didn’t want to take the time to download from Apple, the connection being slow for them. If so then perhaps part of the solution is for Apple to have regional servers, providing that they don’t already have them.


The root of the problem is with the government of China which blocks access to high speed servers. Apple is probably prevented from having regional servers for the same reason.


The Great Firewall of China dramatically slows the download rate available to developers inside China. So they might choose alternate sources (non-Apple servers that have Xcode) to speed up the process of that 6GB download.

The time factor is increased by at least 1 order of magnitude and maybe more, so the increased convenience for them is apparent. (That doesn’t excuse it, but it explains it.)

Apple probably does not have servers inside China due to the burdensome legal requirements they would then be subject to.


Or, might be the case that some of those developers aren’t exactly that innocent. Focus on the no-names, the ones who appear out of nowhere right about the time the malware was introduced.

Lee Dronick

Good point Aardman


I agree with aardman, but didn’t want to post a j’accuse against a named government - so I just implied it with the post. Anybody who reads it should be able to figure it out.

Given that certain governments want the ability to read anything their citizens have on their computers and devices, and also given that Apple’s information security on their operating systems is pretty good, this is a way to get inside the infosec shields and get to the data.

The fact that China Telecom is one of the suspect apps makes China Telecom a suspect.


Thanks Jeff:

One media outlet reported that Apple’s App Store was ‘hacked’ (or perhaps just certain apps were hacked), after ‘hackers’ convinced legitimate developers to use dodgy software to develop their apps.

I concur with the spirit of several of the comments above, such reporting reflects a measure of naiveté about the nature of host government where the malware-infested Xcode was downloaded.

Given the nature of the malware, the capacity to harvest personal data, this wasn’t a bug at all. It was a feature.

Apple, and the IT security community, will need to stay alert. They’ll be back.


As a follow-up to this article, Apple sent an email to all developers telling them about this and how to avoid it (use the App Store or download from Apple and leave Gatekeeper on).

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account