It’s unclear just how many apps were infected with malicious code. Palo Alto Networks, the security firm that discovered the breach, estimates 39 apps were affected. Most of the apps are hugely popular in China, like messaging app WeChat, Uber rival Didi Kuaidi, train ticket app Railway 12306, business card scanner CamCard, and stock trading service Tonghuashun. A Chinese security company is pinning the number of infected apps at 300+.
“To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple spokeswoman Christine Monaghan told the New York Times.
The malware worked its way into the App Store through an unauthorized version of Xcode, the code developers use to build iOS apps. According to a Reuters report, developers downloaded the sham version of Xcode from a Chinese server because it was faster than downloading it from Apple’s U.S.-based server. The Times noted that only developers who had shut off Apple’s safety warnings could install the bad code, which just goes to show that trying to find a shortcut can go horribly awry.
The story behind the story: This is the first major breach of the App Store. While Android’s open ecosystem leaves the door open to security issues, Apple’s walled garden is typically safe. Each app goes through a careful review process before Apple allows it into the store. But the Xcode malware made its way past Apple’s reviews.
While the malware has had no known effects so far, Palo Alto Networks took a close look at the code and found out what it’s capable of doing.
An infected app might prompt you to re-enter your user ID and password in a phishing attempt. It might ask you for your iCloud details, too. The malware can also access your clipboard, which has huge ramifications for people who use password managers. Here's how that might work with a popular password app, 1Password:
"When people use apps like 1Password to manage their passwords in iOS, they often open 1Password, copy the stored password to system clipboard, then open the app they want to use and paste the password to the login window. At this moment, a malicious app can directly read the password from system clipboard. 1Password’s main security design for this situation is that, the password stored in the clipboard will only stay there for a very short time. However, since the malware can read it when the app launches, the attack can be successful."
It’s unclear how to know whether your device has been affected by a bad app, but developers are taking steps to clean up their software. WeChat announced that only a specific version of its app was breached by malware, so users who upgrade to the current version in the App Store won’t be affected.
Make sure to upgrade all of your apps to the most current version available, and look out for any strange permission requests. When in doubt, don’t enter any of your personal information, and reach out to a developer if you have questions about an app’s security.