According to reports, nearly 128 million iOS users downloaded apps containing the XcodeGhost malware but Apple did not inform victims about the attack.
In March 2021, Hackread.com reported the supply-check attack in which XcodeSpy malware was used to target developers using Xcode integrated development environment, and a similar malware was used back in 2015. It was codenamed XcodeGhost, and it allowed attackers to insert malicious code in legitimate apps using rogue versions of Xcode downloaded from third-party websites.
It must be noted that Xcode is Apple’s app development tool. Back then, it was reported that Apple stopped the attack quickly.
However, according to a new report, emails presented during the Epic Games vs. Apple court proceedings have revealed startling new details on that particular attack. It turns out that nearly 128 million iOS users downloaded the apps containing the XcodeGhost malware. Reportedly, Apple kept this malware attack a secret and didn’t share the impact’s full details.
An Epic Spillover
Both the companies are fighting a battle in the court after Apple removed Battle Royale game Fortnite from its App Store in August 2020 after Epic implemented an in-app payment system to bypass Apple’s 30% fee for in-app purchases.
Ars Technica, who initially reported on the case findings, stated that Epic has revealed a series of emails revealing Apple management chose not to inform the 128 million affected iPhone users about the biggest ever mass compromise of the iOS ecosystem.
The hack came to light in 2015 when iPhone 6S was launched, and cybersecurity researchers at Palo Alto Networks were investigating the XcodeGhost malware attack. It was reported that 40 apps available on the App Store contained malicious malware.
But initially, the number of apps was much higher as a total of 4,000 apps were infected with the malware. Moreover, researchers noted that the infected app contained code that made iOS devices part of a botnet to steal user data.
Apple’s Reputation At Stake?
Epic Games has unleashed a trove of emails where Apple managers discussed the repercussions of sending out a warning email to 128 million global users who got affected due to the attack. In one of the reputation denting emails, Apple App Store’s VP Matthew Fischer wrote to the company’s Senior Vice President of Worldwide Marketing, Greg Joswiak, and the company’s PR team Christine Monaghan and Tom Neumayr that:
“Joz, Tom, and Christine—due to the large number of customers potentially affected, do we want to send an email to all of them?”
“Note that this will pose some challenges in terms of language localizations of the email since the downloads of these apps took place in a wide variety of App Store storefronts around the world,” Fischer’s email read.
“Just want to set expectations correctly here. We have a mass-request tool that will allow us to send the emails, however, we are still testing to make sure that we can accurately include the names of the apps for each customer,” Apple’s iTunes’ then-customer experience manager Dale Bagwell wrote in another email.
Interestingly, this email wasn’t ever sent out, and Apple’s rep couldn’t provide any evidence to the court of the email being written or sent.
Whether or not the email was sent out, the fact that Apple opted not to notify its users about the mass compromise definitely hurts its reputation as a privacy-focused company six years back. It has always marketed itself as a company dedicated to safeguarding user privacy and even had a much-hyped face-off with the FBI. By sharing the emails in court, Epic Games has achieved its target of hurting Apple’s reputation.