Security Experts:

Connect with us

Hi, what are you looking for?



XcodeGhost Malware Discovered in 2015 Impacted 128 Million iOS Users

Documents submitted in a court case involving Apple revealed that the XcodeGhost malware discovered in 2015 impacted 128 million iOS users.

Documents submitted in a court case involving Apple revealed that the XcodeGhost malware discovered in 2015 impacted 128 million iOS users.

The information was uncovered in emails provided recently as part of the antitrust trial between Epic Games and Apple. The game maker filed a lawsuit against the tech giant last year in a California court over its App Store practices, specifically related to Apple removing Epic’s hit game, Fortnite, from the App Store for allegedly violating terms of contract.

The published emails (a link is provided by Ars Technica) show exchanges between Apple employees, including executives, discussing the XcodeGhost incident and the steps the company should take in response.

XcodeGhost is a piece of malware designed to inject malicious code into iOS and OS X applications through rogue versions of Xcode, Apple’s integrated development platform for creating iOS and macOS software. The attackers had delivered the rogue Xcode via third-party websites aimed at Chinese developers.

When the malware was first discovered, cybersecurity companies and independent researchers spotted more than 4,000 iOS applications that had been compromised by XcodeGhost. No malicious OS X apps were seen in the wild.

The malicious iOS apps allowed attackers to collect information about the hacked devices and open arbitrary URLs. However, the malware did not appear to target sensitive user information from devices.

Apple at the time removed the malicious applications from the App Store and provided information for developers on how to determine if the version of Xcode they were using was legitimate.

The emails sent internally by Apple following the incident reveal that Apple had identified more than 2,500 malicious apps that had been downloaded 203 million times from the App Store. The tech giant determined that roughly 128 million customers had been impacted.

While more than half of the affected users were in China, Apple had identified 18 million customers in the United States that had also been impacted. The company debated whether or not it should directly notify all 128 million affected users, but it seems that ultimately it decided not to.

SecurityWeek has reached out to Apple for comment and will update this article if the company responds.

UPDATE: Apple said it kept its users informed about the issue and provided them with information on the steps they could take, but did not say whether it directly notified them.

The company also said it worked with developers at the time to help them publish clean versions of their apps and push the updated versions to customers.

Related: XcodeGhost Malware Updated to Target iOS 9

Related: Apple Loses Copyright Suit Against Security Startup

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.