Supported by
Apple Confirms Discovery of Malicious Code in Some App Store Products
SAN FRANCISCO — Hackers have found their way into Apple’s App Store.
Apple confirmed on Sunday that a tool used by software developers for the company’s devices was copied and modified by hackers to put bad code into apps available on the App Store.
So far about 40 apps with malicious code, or malware, have made it into the App Store, said researchers at Palo Alto Networks, an online security company that is investigating the incident. In a blog post, the security company said the breach could potentially affect hundreds of millions of users.
The list includes some of the most popular apps in China, like the ride-hailing app Didi Kuaidi. Many of the apps are popular elsewhere as well, like the messaging app WeChat, which has about 500 million users, and the business card scanner CamCard. The Chinese online security company Qihoo said it has found more than 300 infected apps.
The fake developer code “was posted by untrusted sources,” said Christine Monaghan, an Apple spokeswoman. “To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software.”
It was unclear on Sunday how many people had downloaded the apps based on the hacked developer tool. Security researchers at the giant Chinese e-commerce company Alibaba, Palo Alto Networks, the app makers and Apple are working to assess the damage, said Ryan Olson, who leads a threat research team Palo Alto Networks.
Chatter about modified versions of the developer code, called Xcode, started to surface last week on Weibo, China’s version of Twitter.
Researchers found that some copied versions of Xcode had been modified to embed malicious software into apps. As app makers checked to see whether their products had been infected, Apple and security researchers worked to find and get rid of the bad versions of Xcode, which were all on a cloud hosting service owned by the Chinese Internet company Baidu. Mr. Olson said Baidu has removed them.
In a statement posted to an official Tencent blog on Saturday, the company said that the flaw had been repaired and would not affect users who upgrade the WeChat app. “A preliminary investigation into the flaw has revealed that there has been no theft and leakage of users’ information or money, but the WeChat team will continue to closely monitor the situation,” it said.
Apple said on Sunday that it was working with developers to make sure they were using the proper version of Xcode, the tool used to create the apps.
Once the infected apps are downloaded, researchers said, the malicious code can open particular websites designed to infect the device with more viruses. It can also open innocuous-looking pop-up screens that ask users for more information, like passwords to their Apple account.
“Since the dialogue is a prompt from the running application, the victim may trust it and input a password without suspecting foul play,” Palo Alto Networks said in its blog post.
Researchers said only the most recent versions of the apps created with the counterfeit version of Xcode were at risk.
This security breach illustrates the lengths to which hackers will go to break into Apple’s hardware and software, which has long been thought of as having superior security.
“Apple has been extremely successful at keeping malware out of the App Store,” Mr. Olson said.
Mr. Olson said that even in this case, hackers did not crack Apple’s software. Instead they took advantage of the fact that many Chinese developers use copies of Xcode that are held on Chinese servers, since they load faster than the version of the code that’s available from Apple.
The bad Xcode was available only to those developers who had disabled Apple’s safety features. Otherwise Apple would have presented a warning that something was wrong with Xcode, Mr. Olson said.
Many of the websites that were receiving stolen information have been discovered and shut down, according to researchers.
Mr. Olson said versions of Xcode from Apple should be safe.
An article on Monday about the discovery of apps with malicious code in the Apple App Store misspelled the name of a Chinese online security company that said it had found 300 infected apps. It is Qihoo, not Qohoo.
How we handle corrections
A Guide to Digital Safety
A few simple changes can go a long way toward protecting yourself and your information online.
A data breach into your health information can leave you feeling helpless. But there are steps you can take to limit the potential harm.
Don’t know where to start? These easy-to-follow tips and best practices will keep you safe with minimal effort.
Your email address has become a digital bread crumb that companies can use to link your activity across sites. Here’s how you can limit this.
Protect your most sensitive accounts by creating unique passwords and adding extra layers of verification.
There are stronger methods of two-factor authentication than text messages. Here are the pros and cons of each.
Do you store photos, videos and important documents in the cloud? Make sure you keep a copy of what you hold most dear.
Browser extensions are free add-ons that you can use to slow down or stop data collection. Here are a few to try.
Advertisement