Apple XcodeGhost Malware: List of iOS Apps You Should Delete Immediately

Apple’s App Store in China has apparently been penetrated by Hackers which experts say has placed the devices of hundreds of millions of people at risk.

The malware named XcodeGhost, believed to be a malicious and modified version of Apple‘s very own development software, is said to have compromised a significant number of applications.

Apple Inc. said on Sunday that it was in the process of cleaning up its iOS App Store to remove the malicious iPhone and iPad programs which have been identified as having the XcodeGhost malware embedded into them. It is believed that the number of Apps infected runs into the hundreds making this the first large-scale attack on the software platform.

The security company, Palo Alto Networks, which is investigating the breach said in a blog post:

“Based on this new information, we believe XcodeGhost is a very harmful and dangerous malware that has bypassed Apple’s code review and made unprecedented attacks on the iOS ecosystem.”

They also warned:

“The techniques used in this attack could be adopted by criminal and espionage focused groups to gain access to iOS devices.”

Apple has yet to reveal exactly how many Apps have been compromised by this malware and when asked directly, they declined to answer. A Chinese security firm Qinhoo360 Technology Co did, however, announce in its blog that it had uncovered up to 344 apps which have thus far been compromised.

How Big a Deal Is It?

According to Palo Alto Networks Director of Threat Intelligence Ryan Olson, it is a “pretty big deal” because it proves that Apple’s App Store can be compromised on a large scale by virtue of developers being hacked and having their machines infected. He also believes that other attackers will, in all probability, attempt to copy this approach which has proved to be very hard to defend against. It is his view that “developers are now a huge target”.

Although the Chinese App Store was the target and almost all the Apps affected are used in China, it is not the case for all of them. The apps affected include Tencent Holdings Ltd’s, We Chat, Didi Kuaidi which is a car-hailing app and CamCard which is a business card scanner available for use outside of China.

Targeting Developers

Alibaba, the giant e-commerce firm, had initially flagged up the malware when it was discovered by its researchers. They found that hackers had uploaded a number of altered versions of Xcode which is a tool used to build iOS Apps onto a cloud storage service in China.

The hackers then posted links to the software on forums which are common with Chinese developers. Palo Alto networks stated:

“In China – and in other places around the world – sometimes network speeds are very slow when downloading large files from Apple’s servers,”

“As the standard Xcode installer is nearly three gigabytes, some Chinese developers choose to download the package from other sources.”

The posting of the links to the altered version of the Xcode on developer forums shows that Developers were indeed the principle target of the hackers.

What About The Gatekeeper?

Apple’s security tool, Gatekeeper, which is specifically designed to warn users of any unauthorised programs and stop them running appears to have been disabled by the developers – this allowed them to continue to create iOS apps using the XcodeGhost malware.

What Does this Mean For Users?

All iOS Apps infected with the XcodeGhost malware will collect information about the unsuspecting users device, encrypt and upload that data to command and control servers which are run by the hackers. This is done through HTTP Protocol. According to Palo Alto Networks, the information collected are:

  1. Network type
  2. Device names and type
  3. Infected Apps name
  4. Current time
  5. Devices UUID
  6. System’s language and country
  7. The apps Bundle identifier

It will then receive the following commands according to Palo alto Networks:

  1. Phish user credentials
  2. Read and write data to clipboard
  3. Hijack specific URLs allowing for vulnerability exploitation.

What Is Being Done? 

Apple has issued a statement regarding their plan of action to date:

“We’ve removed the apps from the App Store that we know have been created with this counterfeit software. We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”

To protect oneself from the XcodeGhost malware, users need to immediately uninstall any infected Apps from the list which can be found here. Alternatively they can update to the latest version which has had the malware removed. Other things which all users should do immediately change your iCloud password as well as any passwords which have been inputted on your device.

If you are a developer, you should install the official version of Xcode 7 & or Xcode 7.1 beta – you can do this from here and always avoid downloading the software from unofficial sources.

Despite the discovery of the malware in Apples App store being unprecedented and embarrassing to say the least and despite the exposure potentially encouraging other hackers to copy; it is believed that this breach will not shake consumer confidence and experts such as Wee Teck Loo, who is head of consumer electronics at market research firm Euromonitor International, do not forecast any major losses for Apple whether that be revenue or sales. 

List of apps that should be deleted immediately: 

  • WeChat
  • Didi Chuxing
  • Angry Birds 2
  • NetEase
  • Micro Channel
  • IFlyTek input
  • Railway 12306
  • The Kitchen
  • Card Safe
  • CITIC Bank move card space
  • China Unicom Mobile Office
  • High German map
  • Jane book
  • Eyes Wide
  • Lifesmart
  • Mara Mara
  • Medicine to force
  • Himalayan
  • Pocket billing
  • Flush
  • Quick asked the doctor
  • Lazy weekend
  • Microblogging camera
  • Watercress reading
  • CamScanner
  • CamCard
  • SegmentFault
  • Stocks open class
  • Hot stock market
  • Three new board
  • The driver drops
  • OPlayer
  • Mercury
  • WinZip
  • PDFReader
  • Perfect365
  • PDFReader Free
  • WhiteTile
  • IHexin
  • WinZip Standard
  • MoreLikers2
  • CamScanner Lite
  • MobileTicket
  • iVMS-4500
  • OPlayer Lite
  • QYER
  • golfsense
  • Ting
  • Golfsensehd
  • Wallpapers10000
  • CSMBP-AppStore
  • MSL108
  • snapgrab copy
  • iOBD2
  • PocketScanner
  • CuteCUT
  • AmHexinForPad
  • SuperJewelsQuest2
  • air2
  • InstaFollower
  • CamScanner Pro
  • baba
  • WeLoop
  • DataMonitor
  • MSL070
  • nice dev
  • immtdchs
  • OPlayer
  • FlappyCircle
  • BiaoQingBao
  • SaveSnap
  • Guitar Master
  • jin
  • WinZip Sector
  • Quick Save

If there are other infected apps we will let you know. Stay tuned.. 


Apple has reportedly removed the XcodeGhost Malware. In a statement, Apple said that

“To protect our customers, we have removed the apps from the App Store that we know have been created with this counterfeit software. We are working with the developers to make sure they are using the proper version of Xcode to rebuild their apps,” according to Wall Street Journal.

Palo Alto Networks

Related Posts