Apple has said it is taking steps to remove malicious code added to a number of apps commonly used on iPhones and iPads in China.
It is thought to be the first large-scale attack on Apple’s App Store.
The hackers created a counterfeit version of Apple’s software for building iOS apps, which they persuaded developers to download.
Apps compiled using the tool allow the attackers to steal data about users and send it to servers they control.
Cybersecurity firm Palo Alto Networks – which has analysed the malware dubbed XcodeGhost – said the perpetrators would also be able to send fake alerts to infected devices to trick their owners into revealing information.
It added they could also read and alter information in compromised devices’ clipboards, which would potentially allow them to see logins copied to and from password management tools.
Some of the affected apps – including the business card scanner CamCard – are also available outside China.
“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” said Apple spokeswoman Christine Monaghan.
“We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps,” said Christine Monaghan.
On its official WeChat blog, Tencent said the security issue affected an older version of its app – WeChat 6.2.5 – and that newer versions were not affected.
It added that an initial investigation showed that no data theft or leakage of user information had occurred.
Analysis: Dave Lee, North America technology reporter
In Apple’s walled garden App Store, this sort of thing shouldn’t happen.
The company goes to great lengths, and great expense, to sift through each and every submission to the store. Staff check for quality, usability and, above all else, security.
The Apple App Store is generally considered a safe haven as the barrier to entry is high – there’s only been a handful of instances of malware found on iOS apps, compared to Google’s Play store which for a while was regarded as something of a “Wild West” for apps (until they introduced their own malware-scanning system too).
It makes this attack all the more surprising, as it looks like two groups of supposedly informed people have been caught out.
Firstly developers, who security researchers say were duped into using counterfeit software to build their apps, creating the right conditions for the malware to be applied.
And secondly, Apple’s quality testers, who generally do a very good job in keeping out nasties, but in this case couldn’t detect the threat.
The malware was initially flagged by researchers at the Chinese e-commerce firm Alibaba.
It discovered that the hackers had uploaded several altered versions of Xcode – a tool used to build iOS apps – to a Chinese cloud storage service.
Then, about six months ago, the attackers posted links to the software on several forums commonly visited by Chinese developers.
“In China – and in other places around the world – sometimes network speeds are very slow when downloading large files from Apple’s servers,” explained Palo Alto Networks in a follow-up blog.
“As the standard Xcode installer is nearly three gigabytes, some Chinese developers choose to download the package from other sources.”
It added that potentially hundreds of millions of users might have been affected.
Apple does have a security tool – called Gatekeeper – that is designed to alert users to unauthorised Mac programs and stop them from being run. However, it appears the developers must disabled the facility, allowing them to create iOS apps with XcodeGhost.
Sense of security
Despite the many news headlines about the breach, one expert said he did not forecast a major impact on the sale of Apple products.
“It is definitely embarrassing for Apple but the reality is that malware is a persistent problem since the days of PCs and the problem will multiply as the number of mobile devices explodes from 1.4 billion units in 2015 to 1.8 billion in 2020,” Wee Teck Loo, head of consumer electronics at market research firm Euromonitor International, told the BBC.
In fact, consumers are less cautious on mobile devices than on PCs, he added.
“In emerging markets like China or Vietnam, mobile devices are their first connected product and security is taken for granted,” he said.
“Consumers in emerging markets are also less protective of privacy and security issues.”
Earlier this month, login names and passwords for more than 225,000 Apple accounts were stolen by cyber-thieves in China.
It was uncovered by security firm Palo Alto Networks while investigating suspicious activity on many Apple devices. It found a malicious software family that targets jailbroken iPhones.
The majority of people affected were in China.