Since its inception in 2008, the iPhone's App Store has been almost malware free.
That changed on Sunday, when Apple said that its App Store had been infiltrated by dozens of infected apps.
One of those was WeChat, the hugely popular messaging app that's regularly used by more than half a billion people around the world.
While the hackers behind the attack are still unknown, the malware's end goal was to collect sensitive information from iPhone owners, like iCloud credentials and other account passwords.
Apps containing malware have slipped into the App Store before, but never at anywhere near this scale. So just how did one piece of malware manage to perform the most sophisticated and widespread attack in the App Store's history?
By getting developers to use a tainted version of the software that's used to make iPhone apps.
On September 17, Palo Alto Networks, an online security company, published its findings on malware called XcodeGhost, the compromised version of the iPhone developer toolkit.
The malware was unknowingly distributed by Chinese developers in over 50 apps. In addition to WeChat, Didi Chuxing, a ride-hailing app, and CamCard, an app that scans business cards, had also been infected.
XcodeGhost received its name from its tricky method of infecting apps. Compromised versions Xcode, the toolkit developers use to make iPhone apps on the Mac, were illegally distributed in China starting in March of this year, according to Palo Alto Networks.
Developers using versions of Xcode that aren't from Apple is a problem in China because the country makes it difficult and slow to download files from the internet outside of its nationwide firewall.
Since Apple's servers aren't in China, it sometimes makes more sense for Chinese developers to download what they need to make apps from faster sources that are hosted inside their mainland.
On Sunday, Apple said that it was working to remove apps from the App Store that were submitted from comprised versions of Xcode.
"A fake version of one of these tools was posted by un-trusted sources which may compromise user security from apps that are created with this counterfeit tool," an Apple spokesperson told Reuters. "To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software and we are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”
On Saturday, WeChat posted an update to its app that removed the XcodeGhost malware, noting that "a preliminary investigation into the flaw has revealed that there has been no theft and leakage of users’ information or money."
While there have yet to be any confirmed cases of apps infected by XcodeGhost collecting user data like passwords, the hack does not bode well for the squeaky clean perception of the App Store that Apple likes to uphold.
Apple did not respond to requests for comment on this story.
As a company that loves to tout its software's security over Android's at every chance (and fittingly so: the iPhone accounted for less than 1% of mobile malware in 2014, according to Motive Security Labs), keeping malware out of the App Store is of paramount concern to Apple.
But the sly way that XcodeGhost slipped past Apple's infamously stringent review process and into the App Store raises the question of whether it could happen again, and on a potentially wider scale.
No walled garden is impenetrable
Until XcodeGhost, only five apps containing malware had been found in the App Store since 2008, according to Palo Alto Networks. By targeting the tool developers use to make apps, the hackers behind XcodeGhost were able to infiltrate over 50 apps from different companies and potentially reach hundreds of millions of people.
“This one is certainly the broadest in terms of impact," Palo Alto Networks' Ryan Olson told Tech Insider, referring to the hack and its effect on Apple's ecosystem.
Unlike past hacks of iOS, XcodeGhost's distribution through the App Store allowed it to infect normal iPhones.
Typically, "jailbroken" iPhones — phones that people have modified to install apps not available in the App Store — are more susceptible to hacking, as the user gains access to customize the iPhone's software on a lower level than Apple normally allows.
But XcodeGhost didn't need that level of access if it could get into the App Store, which it was able to do by hiding itself within normal looking apps from trusted developers. Once the malware was in the store, it was only a tap away for anyone with an iPhone.
Apple could have been alerted to the malware by physically testing the apps during the App Store's review process, according to Nikias Bassen, a mobile security researcher for Zimperium who was also part of the team of hackers responsible for jailbreaking past versions of iOS.
Bassen told Tech Insider that apps containing XcodeGhost would not necessarily look infected to Apple during a scan of their contents, since the malicious activity occurred only when the app was installed on an iPhone and was communicating with the hacker's servers.
A warning could have been raised if Apple would have noticed multiple apps from different developers communicating with the same server, according to Bassen. But even then, he noted that the hacker could delay serving messages like "enter iCloud password" until after the app was live in the store, which would avoid Apple's team of reviewers.
"The App Store review process is not transparent," Bassen said. "We don't know what kinds of checks they do and how, and in which cases an actual human would analyze a submitted app."
There's no guarantee it won't happen again
Could something like XcodeGhost slip past Apple's eye again?
"Now they have patterns they can look for, but there's no guarantee it won't happen again," Bassen said.
Olson, of Palo Alto Networks' threat intelligence research team, said that the origin of the hack is still a mystery, but there's no reason to believe it was orchestrated by a cybersecurity company or government.
“Apple has been really dedicated to maintaining their walled garden for users," he said. But despite what the average iPhone owner may think, “the platform itself, while well protected, is not invulnerable."
At the end of the day, this latest hack is a wake-up call that the App Store isn't as impenetrable to hackers as you may think, and that it's always wise to exercise caution when using the apps on your phone.
