Tainted Xcode gets Malware onto App Store, Apps Pulled

Apple has pulled a long list of iPhone and iPad apps from the App Store after discovering they contained malware that could steal personal data. The titles—including the popular WeChat— were created using versions of Xcode downloaded outside of Apple's developer site that injected the malware, dubbed XcodeGhost, into apps without developer's knowledge.

Unofficial Xcode installers led to the biggest App Store malware incident to dateUnofficial Xcode installers led to the biggest App Store malware incident to date

XcodeGhost has been found in at least 39 apps, many of which are available only in China. This is the largest malware app incident to date on the App Store.

Security research company Palo Alto Networks said developers in China were downloading Xcode from servers in the country instead of directly from Apple. Getting the app development tools from non-Apple in-country servers meant faster downloads because they could avoid the performance issues that go along with China's national firewall that blocks much of the online content available around the world.

Apple began pulling the infected apps from the App Store last week and has confirmed it is working with developers to make sure they have legit copies of Xcode. An Apple spokesperson told Reuters, "We've removed the apps from the App Store that we know have been created with this counterfeit software. We are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps.

The company has the ability to remotely disable apps, but hasn't said if that's happening in this case.

Palo Alto Networks put together a list of known infected apps:

  • WeChat
  • Didi Chuxing
  • Angry Birds 2
  • NetEase
  • Micro Channel
  • IFlyTek input
  • Railway 12306
  • The Kitchen
  • Card Safe
  • CITIC Bank move card space
  • China Unicom Mobile Office
  • High German map
  • Jane book
  • Eyes Wide
  • Lifesmart
  • Mara Mara
  • Medicine to force
  • Himalayan
  • Pocket billing
  • Flush
  • Quick asked the doctor
  • Lazy weekend
  • Microblogging camera
  • Watercress reading
  • CamScanner Lite
  • CamScanner Pro
  • CamCard
  • SegmentFault
  • Stocks open class
  • Hot stock market
  • Three new board
  • The driver drops
  • OPlayer
  • Telephone attribution assistant
  • Marital bed
  • Poor tour
  • I called MT
  • I called MT 2
  • Freedom Battle
  • Mercury
  • WinZip
  • Musical.ly
  • PDFReader
  • guaji_gangtai en
  • Perfect365
  • PDFReader Free
  • WhiteTile
  • IHexin
  • WinZip Standard
  • MoreLikers2
  • MobileTicket
  • iVMS-4500
  • OPlayer Lite
  • QYER
  • golfsense
  • golfsensehd
  • Wallpapers10000
  • CSMBP-AppStore
  • MSL108
  • ChinaUnicom3.x
  • TinyDeal.com
  • snapgrab copy
  • iOBD2
  • PocketScanner
  • CuteCUT
  • AmHexinForPad
  • SuperJewelsQuest2
  • air2
  • InstaFollower
  • baba
  • WeLoop
  • DataMonitor
  • MSL070
  • nice dev
  • immtdchs
  • OPlayer
  • FlappyCircle
  • BiaoQingBao
  • SaveSnap
  • Guitar Master
  • jin
  • WinZip Sector
  • Quick Save

Some apps have already been updated so they're malware-free, and more will be coming soon. If you have any of the potentially infected apps installed, remove them and change your Apple ID password and any other passwords you recently entered on your iOS device.

This is a big embarrassment for Apple even though developers were using unofficial versions of Xcode. The App Store vetting process is supposed to catch malware apps before they're approved for distribution, but in this case a long list of apps made it through the screening process and onto user's iPhones and iPads.

This incident may also have a silver lining of sorts: Apple has no doubt learned a lot from XcodeGhost and will use that knowledge to make the App Store screening process more secure.