A total of 128 million iOS users downloaded apps that were affected by the XcodeGhost malware in 2015, according to emails revealed during the Epic Games v. Apple trial.
The XcodeGhost malware was parsed into otherwise legitimate applications to mine user data in a coordinated campaign in 2015. Although the malware was quickly stopped, details about the full impact of the attack remained murky.
However, emails published as part of the Epic v. Apple trial have finally given us a clearer picture at the scope of the hack. In total, 128 million users downloaded the more than 2,500 tainted applications. About 18 million of those users were in the U.S., according to Vice, which first spotted the emails.
In addition to revealing the magnitude of the hack, the emails also detail how Apple scrambled to work out how serious it was and notify victims.
"Due to the large number of customers potentially affected, do we want to send an email to all of them?" said Matt Fischer, vice president of the App Store. "Note that this will pose some challenges in terms of language localizations of the email, since the downloads of these apps took place in a wide variety of App Store storefronts around the world."
Dale Bagwell, Apple's iTunes customer experience manager at the time, agreed that a mass notification would be challenging.
"Just want to set expectations correctly here. We have a mass-request tool that will allow us to send the emails, however we are still testing to make sure that we can accurately include the names of the apps for each customer," Bagwell wrote.
Bagwell also brought up some of the limitations of the tool, including the fact that sending a mass batch of emails to 128 million people could take up to a week.
Although the malware was widespread on the App Store, it wasn't particularly sophisticated or dangerous. At the time, Apple said it didn't have any information to suggest it was used to do anything malicious or harvest personally identifiable information.
The incident led Apple to acquire SourceDNA, a startup specializing in malware detection.
11 Comments
"Although the malware was widespread on the App Store, it wasn't particularly sophisticated or dangerous. At the time, Apple said it didn't have any information to suggest it was used to do anything malicious or harvest personally identifiable information.”
So what’s the big deal?
Yep let’s definitely remove even more barriers to publishing software on these devices which carry all of our personal information, banking access, private messages/photos/etc. /s
It’s like we don’t already have a preview of this with Cydia on jail-broken iPhones: Malware packaged with all manner of titles, especially free games which lures in naive users and kids.
Also keep in mind that the smartphone platforms are constantly the target from blackhats to intelligence agencies: the idea of opening the gates to 3rd party stores out of Apple’s control is plainly stupid.
I really don’t understand the path Epic is going down. Apple bought a security company because bad developers added possibly malicious code. So unlike Epic’s in app virtual currency V-bucks, Apple has to continue to develop the App Store ecosystem to keep it functioning.
Seems like this is a great example of how the app store adds value - a malicious app is discovered and Apple can deactivate it, improving the security for everyone.