Is Xcode an Apple product

Xcode Ghost: how the biggest Apple hack in history came about

Stephan Wiesend

As part of the Epic process, internal emails from 2015 were released providing new information about Xcode Ghost.

EnlargeXcodeGhost has now been found in Xcode 7 as well.
© Fotolia / Dmitry Nikolaev

The current court case between Apple and Epic (we report about it here daily) keeps causing surprises, so Apple had to publish numerous internal documents. Internal emails published in which Apple managers commented on an incident in 2015 are particularly embarrassing for Apple.

At the end of 2015, unknown hackers had provided a version of Apple's Xcode development environment, which could be downloaded more easily and quickly in China than from lame Apple servers. Especially among Chinese developers, they later used the notorious developer software known as Xcode Ghost, which the hackers had secretly manipulated. Every app created with it was provided with malware, all of which were very popular in China, such as WeChat Apps. This made it possible to bypass the security precautions of the App Store and millions of users installed apps contaminated with malware. At the time, Apple warned of the most important infected apps and deleted the affected app versions. So far, however, neither the number of infected apps nor the number of users affected was known. But since important apps like Wechat were affected, it was already suspected that thousands of apps and millions of customers were affected.

128 million victims

According to internal emails from Apple, a record 128 million users and more than 2500 apps were affected at the time of the discovery. "In total, 128M customers have downloaded the 2500+ apps that were affected LTD." Said Dale Bagwell, the manager of iTunes customer service. In the US, 18 million users were affected, 55 percent of those affected were Chinese Apple users. As other emails showed, the initial plan was to notify these customers by email. Due to the large number of customers, this would have overloaded the software provided for this purpose and the dispatch would have taken a week - apart from a further delay due to the localization of the messages in numerous languages. Apple and Phil Schiller, who was responsible for the App Store at the time, decided to notify the developers of the apps and removed the affected versions. In addition, Apple published a short list of the most important affected apps and posted information about the incident on a website. The Macwelt also reported in detail at the time.

Was the malware dangerous?

The malware itself wasn't particularly dangerous; according to security researchers, after installing an app, it mainly downloaded information about the affected device to a remote server. This included the name of the app, network information, iPhone ID data and device names - no personal data or passwords. According to Palo Alto Networks, with a few changes it would have been able to intercept passwords or delete data.

Our opinion

Obviously, Apple tried to limit the damage back then and never published the true number of users affected. The rather minor damage caused by the software is no excuse for this lack of openness.