Apple confirmed Sunday that malicious code has found its way into apps being sold in the App Store — marking the first successful major attack on that marketplace, according to a report from Reuters.
In a statement provided to The Washington Post on Monday, Apple said that it had found and removed several apps that included a malicious program called Xcode Ghost — a counterfeit version of Apple's software development program Xcode — that hides malware in otherwise legitimate apps. "We offer developers the industry’s most advanced tools to create great apps," said the company's statement said. "A fake version of one of these tools was posted by untrusted sources which may compromise user security from apps that are created with this counterfeit tool."
Apple is now working with developers to rebuild their apps with the official version of Xcode, the company said. Apps developed with Apple's approved software are not affected.
Xcode Ghost was uploaded to a Baidu server in China, where developers picked up the counterfeit software. It has since been taken down. Most of the apps affected, such as the ride-hailing service Didi Kuaidi, are most popular in China. But some of the apps have international audiences, such as Tencent's popular messaging app WeChat. Bad versions of these apps appear to have been available outside of China, as well, according to security firm Palo Alto Networks.
On WeChat's official blog, the firm said that the issue only affected an older version of its chat program and that it has not found any evidence of a customer's personal information being taken from the app as a result of the bad code.
While the damage from the attack appears to be limited for now, it's a public black eye for Apple — even though developers who made the bad apps strayed from the approved, official Apple protocols for developing applications. One of the selling points of Apple's App Store and, by extension, its products, is that the company takes security very seriously. The firm famously subjects developers to stringent screening processes that can often hold up an app's launch but allows Apple to promise customers the peace of mind that any app they download from its store is safe.
It's unprecedented for the company to have allowed so many apps with malicious code to get through its security processes. And because the attack happened at the development stage, average consumers have no meaningful way to parse the good apps from the bad.
Palo Alto Networks published several posts analyzing the flaw on its blog post late last week, finding that 39 apps were affected in total, potentially affecting "hundreds of millions" of users, the company said.
Palo Alto Networks security researcher Claud Xiao wrote in a blog post that the software can trigger fake alerts on the iPhone, and has already been used to try to convince Apple users to reveal their iCloud passwords. He also warned that the software could be used to snoop on a device's clipboard, which could potentially let the program read passwords copied from a password manager.