'XcodeGhost' Malware Attack in 2015 Impacted 128 Million iOS Users, According to Trial Documents

[MacRumors]

Back in 2015, a malware-infected version of Xcode began circulating in China, and malware-ridden "XcodeGhost" apps made their way into Apple's App Store and past the App Store review team.

There were more than 50 known infected iOS apps at the time, including major apps like WeChat, NetEase, and Didi Taxi, with up to 500 million iOS users potentially impacted. It's been a long time since the XcodeGhost attack, but Apple's trial with Epic is surfacing new details.

Trial documents highlighted by Motherboard indicate that a total of 128 million users downloaded apps with the XcodeGhost malware, including 18 million users in the United States.

XcodeGhost was one of the biggest attacks against iPhone users to date due to the number of iPhone users that were impacted. The 128 million impacted users got malware from downloads of more than 2,500 affected apps.

Based on emails shared in the trial, Apple worked to determine the impact of the attack and how to best notify those who downloaded infected apps. "Due to the large number of customers potentially affected, do we want to send an email to all of them?" Apple's App Store vice president Matt Fischer asked.

Apple did ultimately inform users that downloaded XcodeGhost apps, and also published a list of the top 25 most popular apps that were compromised. Apple removed all of the infected apps from the App Store, and provided information to developers to help them validate Xcode going forward.

XcodeGhost was a widespread attack, but it was not effective or dangerous. At the time, Apple said that it had no information to suggest that the malware was ever used for any malicious purpose nor that sensitive personal data was stolen, but it did collect app bundle identifiers, network details, and device names and types.

Article Link: 'XcodeGhost' Malware Attack in 2015 Impacted 128 Million iOS Users, According to Trial Documents

 

[maternidad]

Apple is very thoughtful of its users 😍❤️.

 

[Cosmosent]

Another Nugget thanks to the trial !

 

[symphony]

how are these companies obtaining these private emails?

 

[deevey]

how are these companies obtaining these private emails?

The ongoing Epic / Apple.

I'd guess these emails were entered into evidence by Apple as an insight into what they actually do in term of securing the App Store, further justifying the 30% commission.

 

[BornAgainMac]

I checked out the list of apps. They are very wordy and don't fit well with the current iOS app launcher interface. For that reason alone, I wouldn't have downloaded those apps.

 

[zorinlynx]

I checked out the list of apps. They are very wordy and don't fit well with the current iOS app launcher interface. For that reason alone, I wouldn't have downloaded those apps.

Yeah.. Aside from WeChat I've never even heard of these apps. My guess is they're not used much in the US.

 

[deevey]

I checked out the list of apps. They are very wordy and don't fit well with the current iOS app launcher interface. For that reason alone, I wouldn't have downloaded those apps.

Yeah.. Aside from WeChat I've never even heard of these apps. My guess is they're not used much in the US.

If I remember right it almost exclusively Chinese apps that were affected.

 

[ArPe]

If phones turned into multiple App Store flea markets then half the apps installed would be these malware and spyware. Every one of you could have your money stolen or become the next Khashoggi.

 

[BornAgainMac]

Since they were Chinese apps focused for the Chinese market, I would have used the Chinese language / fonts for naming the apps rather than use a foreign language like English.

 

[sw1tcher]

Trial documents highlighted by Motherboard indicate that a total of 128 million users downloaded apps with the XcodeGhost malware, including 18 million users in the United States.

XcodeGhost was one of the biggest attacks against iPhone users to date due to the number of iPhone users that were impacted. The 128 million impacted users got malware from downloads of more than 2,500 affected apps.

"But... but... since the App Store is guarded by Apple, we're all the more safer. If we allow 3rd party app stores or people to download and install apps through the browser like with macOS, users will be exposed to malware" said the people who are against 3rd party app stores and downloading/installing apps through a browser.

And somehow the idea that they won't be forced to and don't have to use the 3rd party app store is lost on them

 

[deevey]

If phones turned into multiple App Store flea markets then half the apps installed would be these malware and spyware. Every one of you could have your money stolen or become the next Khashoggi.

(Insert troll voice) But its my choice to be ripped off!

 

[Stromos]

Yes its so convenient to figure out which app store I need to download and install to get an app. Then provide credit card details to any and every developer that I want to purchase something. Then figure out which store I need to open to update an app. Better regularly launch the alternative stores to get updates. Oh a store was compromised which apps on my device came from that store?

No purpose to the end user at all.

 

[genovelle]

Yes its so convenient to figure out which app store I need to download and install to get an app. Then provide credit card details to any and every developer that I want to purchase something. Then figure out which store I need to open to update an app. Better regularly launch the alternative stores to get updates. Oh a store was compromised which apps on my device came from that store?

No purpose to the end user at all.

Thank you!

 

[hot-gril]

It's silly that Apple has to even justify the 30% commission they charge on their own platform that devs and users are free to use or not use, esp when nobody else justifies the same, but these emails are interesting to read.

 

[AwesomestOwl]

It's silly that Apple has to even justify the 30% commission they charge on their own platform that devs and users are free to use or not use, esp when nobody else justifies the same, but these emails are interesting to read.

Excuse me, how are devs free to decide whether to use the App Store or not? Aside from jailbreaking and AltStore-esque distribution methods, they're forced to use the App Store. And that's a good thing, at least for privacy.

 

[genovelle]

"But... but... since the App Store is guarded by Apple, we're all the more safer. If we allow 3rd party app stores or people to download and install apps through the browser like with macOS, users will be exposed to malware" said the people who are against 3rd party app stores and downloading/installing apps through a browser.

And somehow the idea that they won't be forced to and don't have to use the 3rd party app store is lost on them

You have always been able to download web apps and run in a browser. That was the only way until 2008. In fact many of these attacks stem from Apple opening up more and more access to IOS to developers as the years go forward. If they had allowed 3rd party stores as of 2015 when this attack occurred, there would have been no way to resolve it, protect users and mitigate the effects by shutting down all infected apps, because they would not been in their servers. Tracking the culprit would have proven impossible as it is on Android. There solution has been to just stop supporting the OS beyond 2 years. The problem is 80 of their users are on those older version and have hardware that doesn’t support the safer system.

 

[genovelle]

It's silly that Apple has to even justify the 30% commission they charge on their own platform that devs and users are free to use or not use, esp when nobody else justifies the same, but these emails are interesting to read.

Right and charge the same. It’s comical that Epic claims the reason it fine with them is because they loose money on hardware. That means, because they are not business savvy enough to build products customers desire enough to pay a profitable price for. How exactly is that Apple’s problem. In fact the majority of iphone competitors are sold at a loss. That has nothing to do with what profit app can make on its App Store.

 

[genovelle]

Excuse me, how are devs free to decide whether to use the App Store or not? Aside from jailbreaking and AltStore-esque distribution methods, they're forced to use the App Store. And that's a good thing, at least for privacy.

They can use webApps which or go else where. They can decide if they want to develop for a platform or not. If they want deeper access to the OS there are requirements that protect us

 

[IG88]

If phones turned into multiple App Store flea markets then half the apps installed would be these malware and spyware. Every one of you could have your money stolen or become the next Khashoggi.

Agreed. I just threw my Mac in a dumpster. It's either iOS App Store or the device is a malware infested time bomb!!! Sideloading is just asking for trouble! Far too dangerous!

 

[rjohnstone]

It's silly that Apple has to even justify the 30% commission they charge on their own platform that devs and users are free to use or not use, esp when nobody else justifies the same, but these emails are interesting to read.

Devs are not free to use the platform. They have to pay annually to have the opportunity to be listed. Not all apps get listed.

 

[MauiPa]

sounds like a strong case for an even stronger App Store. Maybe pass legislation making it a crime to do this crap and then prosecute the hackers. As it stands now, Apple can only check a few things, like are there bugs, does the app work, does it steal data (and that is easier to hide than one would think). How about allowing them to check if the company is legit, oh I know, maybe the developers could get a business license with a government authority that clearly delineates the activities the developer's apps are performing, punishable by fines and imprisonment, or both. YooHoo, less App Store, more government!

 

[AwesomestOwl]

You have always been able to download web apps and run in a browser. That was the only way until 2008. In fact many of these attacks stem from Apple opening up more and more access to IOS to developers as the years go forward. If they had allowed 3rd party stores as of 2015 when this attack occurred, there would have been no way to resolve it, protect users and mitigate the effects by shutting down all infected apps, because they would not been in their servers. Tracking the culprit would have proven impossible as it is on Android. There solution has been to just stop supporting the OS beyond 2 years. The problem is 80 of their users are on those older version and have hardware that doesn’t support the safer system.

Please note that Apple doesn't comply with the HTML5 spec for web apps, undermining the ease at which web apps for the iPhone can be created. The App Store is great, but I wish the web as a venue was also equally viable. WebKit's (the underlying part of Safari) JavaScript engine also has... questionable performance compared to Chakra (MS Edge), SpiderMonkey (Firefox), and V8 (Chrome) [1]. Let's also not forget that Apple actively viewed HTML5 as a threat (potentially leading to their half-broken implementation) [2]. I may sound a bit overly critical about Apple's implementation, and I do acknowledge that (for the most part, it does work, there are just certain issues that other platforms don't have).

Sources
1. Discord's blog post about optimising for JSC. Yes, Discord is a native app, but the underlying JS engine is the same. Search for JSC and look at the second match.
2. Post about Apple seeing HTML5 as a threat. Sadly, instead of making the App Store more competitive, they decided to cripple HTML5 instead.

 

[kk200]

If phones turned into multiple App Store flea markets then half the apps installed would be these malware and spyware. Every one of you could have your money stolen or become the next Khashoggi.

Please remember, iOS only takes 15% of the market share.......
There eight-five percent phones are not iOS and they are doing well.

 

[AwesomestOwl]

If they want deeper access to the OS there are requirements that protect us

This brings us to an interesting jumping point. It would be interesting if Apple could add in privacy and malware protections directly into the OS without relying on the App Store, in the same way Gatekeeper exists on macOS. I do wonder how well code can detect things such as device fingerprinting and etc. Maybe this is not simple to do.

Also, please note: yes, I do have a post replying to you about some things about web apps. It's awaiting moderator approval, likely because there's a lot of links for citations.