‘XcodeGhost’ Apps Dated Back to April, Exploits Were Minimal: Researchers


XcodeGhost has made headlines recently, and there is a good reason for that: It is the first major attack against the App Store. As it turns out, the whole story didn’t start the other week, but much earlier, according to data revealed by mobile security firm Appthority and cited by Ars Technica.

In a blog post published on Monday, the security firm underscores two important pieces of information: first that the attack started in April, and secondly (the good news), that affected apps contain adware, not malware. In the chart attached below (courtesy of Appthority), you can see how the attack has gained momentum over the past five months.


Another mobile security firm, FireEye, has reportedly found 4,000 iOS apps infected by XcodeGhost. It’s important to note that neither firm specifically mentions whether they focused on Chinese-speaking users or not.

The good news comes from Appthority: The researchers corroborated Apple’s earlier statement, as they didn’t find any suspicious behaviour that would suggest the infected apps would trigger users into giving up sensitive information such as iCloud credentials and the like. What they found is infected apps:

1. Sends requests to the server (using a fixed timer interval between requests)
2. The request contains all kinds of device identifiers (like a typical tracking framework)
3. The response can trigger different actions:
– Shows an AppStore item within the app by using a SKStoreProductViewControllerDelegate
– Showing an UIAlertView and show the AppStore view depending on which button was tapped
– Open an URL
– Sleeping for a given time.

Following the attack, Apple has taken steps to protect its users and ecosystem: It has removed apps identified as infected and asked developers to resubmit their apps using the valid version of Xcode. Apple also issued a line of code to developers to check the legitimacy of their Xcode version and posted an XcodeGhost Q&A on its Chinese website.

We are happy to see this happening and Apple reacting so fast. The only question left is: How could XcodeGhost violate Apple’s App Store policies for such a long time?