Advertisement

SKIP ADVERTISEMENT

Apple Confirms Discovery of Malicious Code in Some App Store Products

Inside an Apple store in China over the weekend. The company said on Sunday that it was working with developers to make sure they were using the proper version of Xcode.Credit...CHINATOPIX, via Associated Press

SAN FRANCISCO — Hackers have found their way into Apple’s App Store.

Apple confirmed on Sunday that a tool used by software developers for the company’s devices was copied and modified by hackers to put bad code into apps available on the App Store.

So far about 40 apps with malicious code, or malware, have made it into the App Store, said researchers at Palo Alto Networks, an online security company that is investigating the incident. In a blog post, the security company said the breach could potentially affect hundreds of millions of users.

The list includes some of the most popular apps in China, like the ride-hailing app Didi Kuaidi. Many of the apps are popular elsewhere as well, like the messaging app WeChat, which has about 500 million users, and the business card scanner CamCard. The Chinese online security company Qihoo said it has found more than 300 infected apps.

The fake developer code “was posted by untrusted sources,” said Christine Monaghan, an Apple spokeswoman. “To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software.”

It was unclear on Sunday how many people had downloaded the apps based on the hacked developer tool. Security researchers at the giant Chinese e-commerce company Alibaba, Palo Alto Networks, the app makers and Apple are working to assess the damage, said Ryan Olson, who leads a threat research team Palo Alto Networks.

Chatter about modified versions of the developer code, called Xcode, started to surface last week on Weibo, China’s version of Twitter.

Researchers found that some copied versions of Xcode had been modified to embed malicious software into apps. As app makers checked to see whether their products had been infected, Apple and security researchers worked to find and get rid of the bad versions of Xcode, which were all on a cloud hosting service owned by the Chinese Internet company Baidu. Mr. Olson said Baidu has removed them.

In a statement posted to an official Tencent blog on Saturday, the company said that the flaw had been repaired and would not affect users who upgrade the WeChat app. “A preliminary investigation into the flaw has revealed that there has been no theft and leakage of users’ information or money, but the WeChat team will continue to closely monitor the situation,” it said.

Apple said on Sunday that it was working with developers to make sure they were using the proper version of Xcode, the tool used to create the apps.

Once the infected apps are downloaded, researchers said, the malicious code can open particular websites designed to infect the device with more viruses. It can also open innocuous-looking pop-up screens that ask users for more information, like passwords to their Apple account.

“Since the dialogue is a prompt from the running application, the victim may trust it and input a password without suspecting foul play,” Palo Alto Networks said in its blog post.

Researchers said only the most recent versions of the apps created with the counterfeit version of Xcode were at risk.

This security breach illustrates the lengths to which hackers will go to break into Apple’s hardware and software, which has long been thought of as having superior security.

“Apple has been extremely successful at keeping malware out of the App Store,” Mr. Olson said.

Mr. Olson said that even in this case, hackers did not crack Apple’s software. Instead they took advantage of the fact that many Chinese developers use copies of Xcode that are held on Chinese servers, since they load faster than the version of the code that’s available from Apple.

The bad Xcode was available only to those developers who had disabled Apple’s safety features. Otherwise Apple would have presented a warning that something was wrong with Xcode, Mr. Olson said.

Many of the websites that were receiving stolen information have been discovered and shut down, according to researchers.

Mr. Olson said versions of Xcode from Apple should be safe.

A correction was made on 
Sept. 23, 2015

An article on Monday about the discovery of apps with malicious code in the Apple App Store misspelled the name of a Chinese online security company that said it had found 300 infected apps. It is Qihoo, not Qohoo.

How we handle corrections

A version of this article appears in print on  , Section B, Page 6 of the New York edition with the headline: Apple Confirms Discovery of Malicious Code in Some App Store Products . Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT