CUPERTINO, Ca. – A top Apple executive said Tuesday that measures have now been taken to prevent any more malicious apps to be found in the App Store, like the dozens reported last week.
Phil Schiller, the company’s senior vice president of worldwide marketing, said the source of the tainted apps was a program called XcodeGhost, a counterfeit version of Xcode, the platform used by developers to create programs for iOS and Mac.
Developers in China often download Xcode from local sites due to the slow download speeds associated with sourcing it officially from Apple’s US servers. The spurious version of Xcode was slipped in amongst the authentic ones on Chinese sites and downloaded by many programmers, unbeknownst to them.
“In the US it only needs 25 minutes to download,” Schiller told Sina, admitting that in China getting Xcode “may take three times as long.” He told a Chinese publication that, to quell this problem, Apple would be providing an official source for developers in the People’s Republic to download Xcode domestically.
He added that Apple will soon reveal a list of 25 apps it knows to have been infected. However, Schiller made sure to note that the malware is relatively harmless and that there’s no evidence of it stealing any information from users that have downloaded a tainted app.
The App Store’s security breach was initially reported by Palo Alto Networks. The company said 39 apps were compromised, including ones used for trading stocks and banking. Also among them was WeChat, a messaging app with over 500 million monthly users. Its developer, Tencent, has said that only users of an older version could be affected.
“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” an Apple spokeswoman said on Monday. “We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”
