XcodeGhost malware sneaks into the App Store, spooks millions of iOS users

Graham Cluley
Graham Cluley
@[email protected]

Red ghostIf you’re writing software for iOS or OS X, chances are that you will use Apple’s Xcode library.

But if you’re a programmer with a flakey internet connection, you may decide that you can’t be bothered trying to download it from Apple’s own servers, but instead download it from elsewhere on the net.

That could turn out to be an unfortunate mistake.

Scores of iOS apps have been uncovered infected with the XcodeGhost malware, all compiled with a poisoned version of Xcode.

Sign up to our free newsletter.
Security news, advice, and tips.

Amongst the apps said to be infected is WeChat, a messaging app developed by Tencent that is used by millions of people worldwide.

Watch my video to find out more, and check out the blog posts published by the security experts at Palo Alto Research.

XcodeGhost malware sneaks into the App Store, spooks millions of iOS users | Graham Cluley

Remember you can subscribe to my YouTube channel to catch up with my video rants and raves.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

7 comments on “XcodeGhost malware sneaks into the App Store, spooks millions of iOS users”

  1. coyote

    It is always a mistake to not use official download locations (whether that is an official mirror or the provider) and you should always – without fail – verify the download matches the hash (assuming the vendor offers one) – even if they aren't 100% fool proof (what is?). The fact the legit hosts could be compromised makes this even more obvious (at least to those who consider security – and many programmers unfortunately do not, which is something they should be ashamed of but probably don’t even know what mistakes they made).

    I guess the next step is damage control attempts from the careless programmers… And of course more claims that only Windows is vulnerable to malware will follow.

  2. The Doctor

    Talk about lazy. What is so hard about going to Apple's App store and downloading Xcode straight from Apple? The app store has the app already installed on the computer. Granted sometimes that Apple's servers get overwhelmed with requests (for example people getting iOS 9 at the time of this writing – lucky i have it already), it should not be so bad to just wait until you can get Xcode from Apple directly instead of trying to find it somewhere else and getting a surprise.

    I am taking a Mac, iPhone, iPad programming class right now and we are on week 1 and it was no big deal to download Xcode so I don't see why anyone would bother looking for it anywhere else on the web.

  3. Viola

    Ok then, so whats the 'next step' incase one had any of the infected apps installed on ones non-jailbroken ipad? Since Apples idea that a walled garden is 'enough' protection where does this leave us endusers since no antimalware/-virus app is currently available in the App Store? Im sick and tired of this massively escalating hacker-'trend'….. As it is now im already spending so much money and energy in best practices and anti-hacking prevention on every front that its becoming ridiculous. Any pointers to get rid of this current xcodeghost 'invasion'? Currently I uninstalled the apps in question but that hardly would be 'enough', I fear?


    1. David Brooks · in reply to Viola

      Have you tried Malwarebytes?


  4. Armus

    but, but… apple can't be hacked. they are invincible. We believe in Steve. It can't happen. lalalalalal not goiing to listen. lalalalalala.

  5. The Doctor

    It is not that Apple can not be hacked. All computers can be hacked. Just some are a bit harder than others. It seems that because of the size of Xcode from Apple's servers (3.9 gigabytes), the companies that downloaded Xcode from another source thought they were getting a smaller size version of Xcode that was easier to download. They were not aware that they are getting a version of Xcode that was modified to have malware as a result. They started programming apps using the infected version of Xcode and now Apple had to go through their software based to remove the infected versions of the app.

    This does bother me though. I thought Apple tested anything submitted to them just to see if somewhere was attempting things done by malware so now Apple's testing comes into question.

  6. Simon

    In light of this, Apple should;

    – Publicly list these apps and/or notified users if they've downloaded it
    – App developers affected should be made to rewrite their apps or face being banned and/or have their apps revoked, and
    – the App Store should implement a stronger vetting process on the who and what are allowed.

    The p1ssing contest between Apple, Google and Microsoft on who has the highest number of apps has probably contributed to the amount crud that's been allowed in the first place.

    I think they're all are guilty of this at one point or another.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.