Several apps, including WeChat, Chinese cab service Didi Kuaidi and card scanning tool CamCard contained malicious code that could, according to security firm Palo Alto Networks, prompt fake alerts to phish user details, hijack URLs, as well as read and write data — such as passwords — from the clipboard.
The code appears to have been injected by XcodeGhost, a counterfeit version of Apple’s Xcode software that is used to build iOS and Mac apps.
Apple spokeswoman Christine Monaghan told Reuters:
We’ve removed the apps from the App Store that we know have been created with this counterfeit software. We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.
Palo Alto Networks said it has not yet detected any signs of data theft or other harm as a result of the attack.
It also noted that developers may have used XocdeGhost instead of Apple’s official tool as it was made available from a server in China and was quicker to download than Xcode, which came from the company’s US servers. For its part, WeChat addressed the issue over the weekend.
What’s frightening about the incident is that numerous trusted apps infected with the malicious code managed to pass Apple’s code review undetected. It’s possible that other hackers may attempt to copy this technique, using legitimate developers as vectors for future attacks.
We’ve contacted Apple for further comment and will update this post if we hear back.
Image credit: Microsiervos Geek Crew / Flickr