Apple malware

Last week, cybersecurity firm Palo Alto Networks discovered a clever malware attack on dozens of iOS apps developed in China.

The attack didn’t involve compromising iOS devices directly. Instead, a manipulated version of Xcode—the software that all iOS developers use to build their apps—was uploaded to Chinese file-sharing sites.

Some developers in China chose to download the 3 GB Xcode application from those sites rather than from official servers. Once they built and compiled their apps, they successfully uploaded them to the App Store.

These apps then became trojan horses, able to silently send data back to the hackers. Because it was a social engineering hack, there wasn’t a direct compromise on iOS devices, but it did illustrate a flaw in how Apple approves apps and developers. Apple has since removed all the affected apps from the App Store and is working with developers to ensure that they’re using the official version of Xcode to build malware-free apps.

WeChat was the biggest infected app, with hundreds of millions of users, particularly in Asia-Pacific. Others include Railway 12306, an app to purchase train tickets in China, and an Uber-like app called Didi Chuxing. The full list of known affected apps is available from Palo Alto Networks.

When a compromised app is used on an iOS device, it can send quite a bit of data back to the hackers, including the current time, the name of the infected app, the device’s name, type, current system language and country, unique identifying number, and network type. The app could also put up a fake alert dialog asking users to enter their iCloud or Apple ID password or access the contents of the clipboard.

Because the malware was inserted through a compromised version of Xcode, it was extremely difficult to detect. Developers must always ensure that they are downloading development software like Xcode from official sources like Apple’s official Developer Support page.

It’s possible that apps could be compromised this way, even if they were developed for internal use only at a large corporation, potentially leading to stolen trade secrets or other confidential data.

Any users who possibly installed any of the affected apps should change their iCloud password and any other passwords used on the iOS device, including email and other accounts. They should also uninstall or update any affected apps.

Still, for US-based iOS users who don’t use Chinese apps, other than a few of the more popular apps like WeChat, it’s unlikely that they were affected. However, it’s always important to be vigilant and ensure that you have the newest official software updates running to keep secure.

Are you concerned about this iOS malware? Let us know your thoughts in the comments below.

Also see


Most users in the US don't need to worry about XcodeGhost App Store malware