LOS ANGELES — Apple’s longstanding reputation for flawless security is in jeopardy, following reports of dozens of malware-infected apps being distributed through its proprietary App Store.
It is a first for the distribution outlet that prides itself on its scrutiny and security of the products it carries — and an attack potentially impacting many millions of users.
The malware was payloaded onto some of the store’s most popular Chinese apps for iPad and iPhone users, including mobile chat app WeChat, which boasts a half-billion users; the Uber-inspired Didi Kuaidi; and a Spotify-style music app from NetEase.
It appears that rather than a direct attack on Apple, the malware authors took an innovative approach, by spreading a tainted version of Apple’s Xcode toolset, which then secretly installed the malware on any app it was used to create. The tainted Xcode file was labeled XcodeGhost by security researchers, and provides a stern example on the dangers of using pirated software — while exposing information about the app user’s device, passwords and more to the criminal attackers.
According to Palo Alto Networks security researcher Claud Xiao, the hack allows attackers to take control of iOS devices.
“We believe XcodeGhost is a very harmful and dangerous malware that has bypassed Apple’s code review and made unprecedented attacks on the iOS ecosystem,” Xiao stated.
For its part, Apple says the company is addressing the problem.
“To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software,” an Apple rep stated. “We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”
So far, no sensitive customer data release has been reported.
“At present, we haven’t discovered any loss of user information or assets as a result of this, though the WeChat team will continue to monitor and do tests,” a WeChat parent Tencent rep revealed, noting that an updated version of the WeChat app is available from the app store.
Altogether, it is an embarrassing breach of Apple’s closed app distribution channel, which has long kept legitimate adult entertainment apps from its ecosystem due to corporate censorship of carnal content.