The App Store is not as safe as we thought. While Apple’s notoriously restrictive approach to apps has typically been thought to make malicious software on the platform next to impossible, security researchers recently identified dozens of apps containing malware in the App Store, although It’s hard to say exactly how many apps have been infected.
The malware, called XcodeGhost, puts quite a bit of personal and device information at risk, including your Apple ID and iCloud password, the contents of your device’s clipboard and your device’s name, type and UUID (universally unique identifier).
The malware stems from a modified version of Xcode — that’s the set of software tools Apple provides to developers to create iOS apps — that contained malware. Though this was not the official version of Xcode provided by Apple (more on that later), the infected apps managed to make their way through Apple’s review process and into the App Store.
Just how bad is it?
Infected apps included some of the most popular apps in China like WeChat, Angry Birds 2 (Rovio has said only the Chinese version was affected), Didi Chuxing (a Chinese ride hailing apps), Railway 12306 (the country’s official app for buying train tickets) and China Unicorn Mobile Office (made by one of the most popular carriers), according to security resarch firm Palo Alto Networks.
But though nearly all of the infected apps comes from Chinese developers the infected apps are not limited to the Chinese App Store. Some apps like WeChat, SaveSnap and Camcard are also available — and widely used — in the U.S App Store.
How did this even happen?
The short answer is bad luck and developer laziness. It appears developers inadvertently infected their own apps when they downloaded a modified version of Xcode that included the malware. Xcode is large program that often takes a long time to download, Palo Alto Networks explained in a statement, which sometimes leads developers to turn to sources other than Apple.
In China (and in other places around the world), sometimes network speeds are very slow when downloading large files from Apple’s servers. As the standard Xcode installer is nearly 3GB, some Chinese developers choose to download the package from other sources or get copies from colleagues.
The security firm goes on to explain that when you search for “Xcode download” on Google, it returned results for several forums frequented by developers. Many of these download links direct back to files posted on the file sharing site Baidu Yunpan, which contained the infected versions of Xcode that app makers unwittingly downloaded.
What should I do now?
Given the popularity of some of the apps involved, hundreds of millions of users are thought to be affected by the exploit. And it’s still possible there are infected apps that have not yet been discovered. Apple says it has removed the infected apps, though some of those identified by Palo Alto Networks remain in the App Store and have yet to be updated. If you have one of the infected apps (you can find a list here) you should delete it immediately (note that Tencent has already updated WeChat with a fix, so make sure you have the latest update, version 6.2.6.)
It’s also a good idea to change your iCloud password now, especially if you downloaded one of the apps in question. While you’re at it, you should consider turning on two-factor authentication as well. That way, even if your Apple ID and password is compromised, an attacker will not be able to get into your account from another device. It should go without saying, but, if you’re a developer, do not download Xcode from sources other than Apple. And if you have in the past, now would be the time to get the official version from Apple.