Pierluigi Paganini May 11, 2021

Court documents revealed that the infamous XcodeGhost malware, which has been active since 2015, infected 128 million iOS users.

Documents provided in a court case that sees Epic Games v. Apple Inc. revealed that the XcodeGhost malware impacted 128 million iOS users.

Epic Games filed a lawsuit against Apple in a California court over its violation of terms of contract for the use of the App Store after the IT giant removed some games, including Fortnite, from the official App Store.

According to documents shared by Ars Technica, Apple managers were aware of a mass infection that impacted 128 million iPhone users but avoided notifying them.

The mass hack was the result of the availability of 4000 malicious apps in the App Store, the apps were found containing the XCodeGhost Malware.

“In September 2015, Apple managers had a dilemma on their hands: should, or should they not notify 128 million iPhone users of what remains the worst mass iOS compromise on record? Ultimately, all evidence shows, they chose to keep quiet.” reported Arstechnica.

Court documents include emails exchanged between Apple employees, including executives, that were analyzing the XcodeGhost mass hack.

The XcodeGhost is used by threat actors to take over the victim’s mobile device, it allows them to steal credentials, hijack user’s traffic, and steal iCloud passwords.

XcodeGhost injects malicious code into iOS and OS X applications through rogue versions of Xcode delivered via third-party websites aimed at Chinese developers.

At the time of the discovery of XcodeGhost in the App store, the company removed the malicious ass from the App Store.

According to the emails analyzed in the court case. Apple identified more than 2,500 malicious apps that had been totally downloaded 203 million times from the official store impacting roughly 128 million customers.

While more than half of the affected users were in China, Apple had identified 18 million customers in the United States that had also been impacted. The company debated whether or not it should notify all 128 million affected users, but it seems that ultimately it decided not to.

“An email entered into court this week in Epic Games’ lawsuit against Apple shows that, on the afternoon of September 21, 2015, Apple managers had uncovered 2,500 malicious apps that had been downloaded a total of 203 million times by 128 million users, 18 million of whom were in the US.” continues Arstechnica.

Apple only published a post that provided general information about the malicious campaign and listed only the top 25 most downloaded apps. 

“The lack of follow-through is disappointing. Apple has long prioritized the security of the devices it sells. It has also made privacy a centerpiece of its products. Directly notifying those affected by this lapse would have been the right thing to do. We already knew that Google routinely doesn’t notify users when they download malicious Android apps or Chrome extensions. Now we know that Apple has done the same thing.” concludes Arstechnica.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

[adrotate banner=”5″]

[adrotate banner=”13″]