Apple Did Not Disclose Hack that Affected 128 Million Devices, Show Court Emails
Emails entered into evidence this week during the Epic Games, Inc. vs. Apple Inc. trial present proof of an internal conversation between Apple executives about notifying users affected by the biggest iOS hack on record of the breach. However, that notification never came to pass — reports Ars Technica.
Somewhere around April of 2015, seemingly legitimate apps with pieces of malicious code started making their way to the App Store. By the time the situation was discovered in September of the same year, the number of malicious apps had ballooned up to 4,000.
The malicious code residing within these apps would add iPhones and iPads that downloaded them to a botnet that collected device information (such as the name of the infected app, device name, device type, unique identifier, and network information), and reported it back to a command and control server.
To the best knowledge of Apple (and independent researchers), the mass hack resulted in these malicious apps being downloaded 203 million times by 128 million iPhone and iPad users.
The root of the problem was a counterfeit copy of Xcode being used by many legitimate app developers, mainly in China. Later nicknamed ‘XcodeGhost’, the repackaged dev tool injected malicious code into apps as they were being worked on by developers, with no one the wiser.
The emails entered into evidence, from September 2015, see top Apple execs talking about disclosing the details of the hack to affected users via a mass email.
“Joz, Tom and Christine—due to the large number of customers potentially affected, do we want to send an email to all of them?” wrote App Store VP Matthew Fischer, referring to Apple Senior Vice President of Worldwide Marketing Greg Joswiak and Apple PR people Tom Neumayr and Christine Monaghan.
In another email from a few hours later, Dale Bagwell from Apple’s Customer Experience team presents possible solutions to sending out the mass email to affected users, and the challenges involved.
Ultimately, though, Apple never went through with the email notification, and a representative of the company could not present any evidence of such an email during the trial proceedings.
Instead, all Apple did was publish a Q&A post (which has since been deleted) on its website, with general information pertaining to the entire scenario, as well as a list of only the 25 most downloaded malicious apps from the campaign.