XcodeGhost Malware Security Breach: The Full Report

September 21, 2015
By Max Buondonno

Yesterday, the iOS App Store experienced a huge security breach: earlier this week, Chinese developers created a new piece of malware called XcodeGhost, an infected version of Apple’s official tool to create iOS and OS X apps, Xcode, and distributed it by uploading the files to Chinese  cloud file sharing service Baidu, then disclosed on the microblogging site known as Sina Weibo (click at your own risk)


Since then, unknowingly, Chinese app developers began to compile iOS applications in the hacked Xcode IDE. The applications passed Apple’s code review process, and were then later distributed via the App Store to each iOS device with operating systems supporting the apps, allowing users to either download or update the new infected versions of the apps.

Every iPhone, iPad, and iPod with a compatible OS to run the infected apps, jailbroken or not, has been affected by this breach.

Below is a full list of the 95 apps affected by this issue as reported by Palo Alto Networks and Fox-It (fox-it.com):

  • Mercury
  • WinZip
  • Musical.ly
  • PDFReader
  • guaji_gangtai en
  • Perfect365
  • 网易云音乐
  • PDFReader Free
  • WhiteTile
  • IHexin
  • WinZip Standard
  • MoreLikers2
  • CamScanner Lite
  • MobileTicket
  • iVMS-4500
  • OPlayer Lite
  • QYER
  • golfsense
  • 同花顺
  • ting
  • installer
  • 下厨房
  • golfsensehd
  • Wallpapers10000
  • CSMBP-AppStore
  • 礼包助手
  • MSL108
  • ChinaUnicom3.x
  • TinyDeal.com
  • snapgrab copy
  • iOBD2
  • PocketScanner
  • CuteCUT
  • AmHexinForPad
  • SuperJewelsQuest2
  • air2
  • InstaFollower
  • CamScanner Pro
  • baba
  • WeLoop
  • DataMonitor
  • 爱推
  • MSL070
  • nice dev
  • immtdchs
  • OPlayer
  • FlappyCircle
  • 高德地图
  • BiaoQingBao
  • SaveSnap
  • WeChat
  • Guitar Master
  • jin
  • WinZip Sector
  • Quick Save
  • CamCard
  • 网易云音乐 2.8.3
  • 微信 6.2.5
  • 讯飞输入法 5.1.1463
  • 滴滴出行
  • 滴滴打车 – 3.9.7
  • 铁路12306 4.5
  • 下厨房 4.3.2
  • 51卡保险箱 5.0.1
  • 中信银行动卡空间 3.3.12
  • 中国联通手机营业厅 3.2
  • 高德地图 7.3.8
  • 简书 2.9.1
  • 开眼 1.8.0
  • Lifesmart 1.0.44
  • 网易公开课 4.2.8
  • 马拉马拉 1.1.0
  • 药给力 1.12.1
  • 喜马拉雅 4.3.8
  • 口袋记账 1.6.0
  • 同花顺 9.60.01
  • 快速问医生 7.73
  • 懒人周末
  • 微博相机
  • 豆瓣阅读
  • CamScanner
  • CamCard
  • SegmentFault 2.8
  • 炒股公开课
  • 股市热点
  • 新三板
  • 滴滴司机
  • OPlayer 2.1.05
  • 电话归属地助手 3.6.5
  • 愤怒的小鸟2 2.1.1
  • 夫妻床头话 1.2
  • 穷游 6.6.6
  • 我叫MT 5.0.1
  • 我叫MT 2 1.10.5
  • 自由之战 1.1.0


More than 500 million iOS users have been affected due to WeChat being very popular amongst users in China and the Asia-Pacific region.

iOS apps infected with XcodeGhost malware can and do collect information about devices and then encrypt and upload that data to command and control (C2) servers run by attackers through the HTTP protocol, causing millions of iOS devices to become at risk for attack. The system and app information that can be collected includes: 

  • Current time 
  • Current infected app’s name 
  • The app’s bundle identifier 
  • Current device’s name and type 
  • Current system’s language and country 
  • Current device’s UUID 
  • Network type 

Palo Alto Networks also discovered that infected iOS apps can receive commands from the attacker through the C2 server to perform the following actions:

  • Prompt a fake alert dialog to phish user credentials; 
  • Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps; 
  • Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.

Palo Alto Networks claims that it is cooperating with Apple on the issue, while multiple developers have updated their apps to remove the malware. 

Apple has since issued the following statement to Reuters:


We’ve removed the apps from the App Store that we know have been created with this counterfeit software. We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.

If you want to protect yourself against this malware or if you have one of the apps featured on the list above, either update those apps via the App Store to a version where the malware has been removed or simply uninstall those apps. Resetting your iCloud password or any other password inputted into your iOS device is also strongly recommended simply as a precautionary measure.
Update: Palo Alto Networks has released a new updated list of the apps affected by this security breach which includes Angry Birds 2:

  • Angry Birds 2
  • CamCard
  • CamScanner
  • Card Safe
  • China Unicom Mobile Office
  • CITIC Bank move card space
  • Didi Chuxing developed by Uber’s biggest rival in China Didi Kuaidi
  • Eyes Wide
  • Flush
  • Freedom Battle
  • High German map
  • Himalayan
  • Hot stock market
  • I called MT
  • I called MT 2
  • IFlyTek input
  • Jane book
  • Lazy weekend
  • Lifesmart
  • Mara Mara
  • Marital bed
  • Medicine to force
  • Micro Channel
  • Microblogging camera
  • NetEase
  • OPlayer
  • Pocket billing
  • Poor tour
  • Quick asked the doctor
  • Railway 12306 the only official app used for buying train tickets in China
  • SegmentFault
  • Stocks open class
  • Telephone attribution assistant
  • The driver drops
  • The Kitchen
  • Three new board
  • Watercress reading
  • WeChat

Stay with MBEDDED for all the latest news in Apple by following us on TwitterGoogle+, by subscribing to our newsletter, located on our Home page, and by following us right here on Apple News.