Apple said it has removed hundreds of apps from its App Store after suffering its first large-scale attack on its app platform.
The malware, dubbed XcodeGhost, was embedded in legitimate iPhone and iPad apps and arose from app developers using a counterfeit version of Xcode, Apple’s software for creating iOS and Mac apps.
Before this attack only five malicious apps had ever been found in the App Store.
“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple spokeswoman Christine Monaghan told Reuters. “We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”
Apple has not issued any instructions to users who who may have downloaded the infected apps on their devices. Popular apps affected by the malware include Chinese messaging app WeChat and China’s largest taxi-aggregator app from Didi Kuaidi, a rival to US-based Uber.
It is being speculated that hackers may have convinced some developers to use either a counterfeit or modified version of Xcode. A reason why developers may have agreed is that the software downloads faster from Chinese servers, compared to Apple’s servers based in the US.
The Financial Times however said that Apple has not explained how the infected apps had got through its security screening for the App Store.
The newspaper highlighted how last year, Tim Cook, Apple’s chief executive had criticised Google for what he claimed as insecure apps, quoting a report that described the search engine’s Android Play store as a “toxic hellstew of vulnerabilities.”
In a blog post, WeChat said its latest version of the app is malware-free and there has been no theft and leakage of user information or money. It said the security flaw only affected iOS users using older versions of WeChat. That flaw has been fixed, it said.
Ryan Olson, director of threat intelligence at the software security firm Palo Alto Networks, said the malware caused little harm. It had limited functionality and his firm found no examples of data theft or other harm, he told Reuters. Chinese security firm Qihoo360 Technology said it had uncovered 344 apps with XcodeGhost.
Separately, iPhone and iPad users have complained of problems after upgrading to iOS9, Apple’s latest operating system.