Apple is now working with developers to rebuild their apps with the official version of Xcode, the company said. Apps developed with Apple's approved software are not affected.
Xcode Ghost was uploaded to a Baidu server in China, where developers picked up the counterfeit software. It has since been taken down. Most of the apps affected, such as the ride-hailing service Didi Kuaidi, are most popular in China. But some of the apps have international audiences, such as Tencent's popular messaging app WeChat. Bad versions of these apps appear to have been available outside of China, as well, according to security firm Palo Alto Networks.
On WeChat's official blog, the firm said that the issue only affected an older version of its chat program and that it has not found any evidence of a customer's personal information being taken from the app as a result of the bad code.
While the damage from the attack appears to be limited for now, it's a public black eye for Apple — even though developers who made the bad apps strayed from the approved, official Apple protocols for developing applications. One of the selling points of Apple's App Store and, by extension, its products, is that the company takes security very seriously. The firm famously subjects developers to stringent screening processes that can often hold up an app's launch but allows Apple to promise customers the peace of mind that any app they download from its store is safe.
It's unprecedented for the company to have allowed so many apps with malicious code to get through its security processes. And because the attack happened at the development stage, average consumers have no meaningful way to parse the good apps from the bad.
Palo Alto Networks security researcher Claud Xiao wrote in a blog post that the software can trigger fake alerts on the iPhone, and has already been used to try to convince Apple users to reveal their iCloud passwords. He also warned that the software could be used to snoop on a device's clipboard, which could potentially let the program read passwords copied from a password manager.