Documents submitted in a court case involving Apple revealed that the XcodeGhost malware discovered in 2015 impacted 128 million iOS users.
The information was uncovered in emails provided recently as part of the antitrust trial between Epic Games and Apple. The game maker filed a lawsuit against the tech giant last year in a California court over its App Store practices, specifically related to Apple removing Epic’s hit game, Fortnite, from the App Store for allegedly violating terms of contract.
The published emails (a link is provided by Ars Technica) show exchanges between Apple employees, including executives, discussing the XcodeGhost incident and the steps the company should take in response.
XcodeGhost is a piece of malware designed to inject malicious code into iOS and OS X applications through rogue versions of Xcode, Apple’s integrated development platform for creating iOS and macOS software. The attackers had delivered the rogue Xcode via third-party websites aimed at Chinese developers.
When the malware was first discovered, cybersecurity companies and independent researchers spotted more than 4,000 iOS applications that had been compromised by XcodeGhost. No malicious OS X apps were seen in the wild.
The malicious iOS apps allowed attackers to collect information about the hacked devices and open arbitrary URLs. However, the malware did not appear to target sensitive user information from devices.
Apple at the time removed the malicious applications from the App Store and provided information for developers on how to determine if the version of Xcode they were using was legitimate.
The emails sent internally by Apple following the incident reveal that Apple had identified more than 2,500 malicious apps that had been downloaded 203 million times from the App Store. The tech giant determined that roughly 128 million customers had been impacted.
While more than half of the affected users were in China, Apple had identified 18 million customers in the United States that had also been impacted. The company debated whether or not it should directly notify all 128 million affected users, but it seems that ultimately it decided not to.
SecurityWeek has reached out to Apple for comment and will update this article if the company responds.
UPDATE: Apple said it kept its users informed about the issue and provided them with information on the steps they could take, but did not say whether it directly notified them.
The company also said it worked with developers at the time to help them publish clean versions of their apps and push the updated versions to customers.