Apple's App Store suffers first major malware attack

An Apple logo hangs above the entrance to the Apple store in New York.
An Apple logo hangs above the entrance to the Apple store in New York.PHOTO: REUTERS

Malicious program found in hundreds of legitimate apps but no data theft detected

BOSTON • Apple says it is cleaning up its iOS App Store to remove malicious iPhone and iPad programs, identified in the first large-scale attack on the popular mobile software outlet.

The revelation came after several cyber security firms reported finding a malicious program dubbed XcodeGhost embedded in hundreds of legitimate apps. It is the first reported case of large numbers of malicious software getting past Apple's stringent app review process.

Prior to this attack, only five malicious apps had ever been found in the App Store, according to cyber security company Palo Alto Networks.

The hackers embedded the malicious code in these apps by convincing developers of legitimate software to use a tainted, counterfeit version of Apple's software for creating iOS and Mac apps, which is known as Xcode, Apple said on Sunday. "We are working with the developers to make sure they are using the proper version of Xcode to rebuild their apps," Apple spokesman Christine Monaghan said. She did not say what steps iPhone and iPad users could take to determine if their devices were infected.

Palo Alto Networks director of threat intelligence Ryan Olson said the malware had limited functionality and his firm had uncovered no examples of data theft or other harm as a result of the attack.

Still, he said it was "a pretty big deal" because it showed the App Store could be compromised if hackers infected machines of software developers writing legitimate apps. Other attackers may copy that approach, which is hard to defend against, he said. "Developers are now a huge target."

Researchers said infected apps included Tencent Holdings' popular mobile chat app WeChat, car- hailing app Didi Kuaidi and a music app from Internet portal NetEase.

The tainted version of Xcode was downloaded from a server in China that developers may have used as it allowed for faster downloads than Apple's US servers, Mr Olson said. Chinese security firm Qihoo360 Technology said on its blog that it had uncovered 344 apps tainted with XcodeGhost.

Tencent said on its official WeChat blog that the security flaw affects WeChat 6.2.5, an old version of its chatting app, and that newer versions were unaffected. A preliminary investigation showed there had been no data theft or leakage of user information, it said.

Didi Kuaidi said in a statement that users' privacy was not intruded upon, and the app has been immediately updated to address the issue.

NetEase apologised, saying private information was not compromised and a fix has been issued.

Apple declined to say how many infected apps it had uncovered.


A version of this article appeared in the print edition of The Straits Times on September 22, 2015, with the headline 'Apple's App Store suffers first major malware attack'. Print Edition | Subscribe