XcodeGhost apps

Apple today refreshed its official XcodeGhost FAQ webpage, listing the top 25 iPhone and iPad apps on the App Store that contain the widely reported though mostly harmless XcodeGhost malware.

In addition to WeChat, one of the top messaging apps in the world, Rovio’s Angry Birds 2 and China Unicom’s Customer Service app, most of the listed apps are distributed on the Chinese App Store only.

“If users have one of these apps, they should update the affected app which will fix the issue on the user’s device,” writes the company. “If the app is available on App Store, it has been updated, if it isn’t available it should be updated very soon.”

Apple has pulled many of the infected apps and said it’s working closely with developers to get impacted apps back on the App Store.

The Cupertino firm underscores that after the top 25 impacted apps, the number of impacted users “drops significantly“.

The full list of the top 25 apps affected by XcodeGhost is as follows:

  • WeChat
  • DiDi Taxi
  • 58 Classified – Job, Used Cars, Rent
  • Gaode Map – Driving and Public Transportation
  • Railroad 12306
  • Flush
  • China Unicom Customer Service (Official Version)
  • CarrotFantasy 2: Daily Battle
  • Miraculous Warmth
  • Call Me MT 2 – Multi-server version
  • Angry Bird 2 – Yifeng Li’s Favorite
  • Baidu Music – A Music Player that has Downloads, Ringtones, Music Videos, Radio, and Karaoke
  • DuoDuo Ringtone
  • NetEase Music – An Essential for Radio and Song Download
  • Foreign Harbor – The Hottest Platform for Oversea Shopping
  • Battle of Freedom (The MOBA mobile game)
  • One Piece – Embark (Officially Authorized)
  • Let’s Cook – Recipes
    Heroes of Order & Chaos – Multiplayer Online Game
  • Dark Dawn – Under the Icing City (the first mobile game sponsored by Fan BingBing)
  • I Like Being With You
  • Himalaya FM (Audio Book Community)
  • CarrotFantasy
  • Flush HD
  • Encounter – Local Chatting Tool

Some of these apps are no longer on the App Store while others, like WeChat, are available as their developers have issued timely updates that get rid of the malware.

“After the top 25 impacted apps, the number of impacted users drops significantly,” says Apple. Of course, these are just the top 25 apps that contain the malware as there are undoubtedly many more lesser known apps infected by XcodeGhost.

Estimates by independent researchers like FireEye Labs and SourceDNA range from 1,000 to more than 4,000 App Store apps containing the malware.

“As of September 21, 2015, we found 28 percent of apps that contain XcodeGhost are still live,” SourceDNA writes. “We also found that 40 percent of apps that had it are still unavailable, while 32 percent have been fixed and re-released.”

XcodeGhost uses a rogue version of Apple’s Xcode tool for iOS and OS X development to inject its payload into apps. Developers in countries like China have downloaded these infected Xcode builds from China’s Baidu servers because multi-gigabyte Xcode downloads from the Mac App Store initiated within China are slow.

“Sometimes developers search for our tools on other, non-Apple sites in an effort to find faster downloads of developer tools,” Apple explains

Apple has since provided instructions for developers to check if their Xcode copy has been tampered with and has promised to soon offer local Xcode downloads in China in order to minimize exposure to the malware.

“We’re working to make it faster for developers in China to download Xcode betas,” said the firm.

Trojanized apps have been found to send usage data collected from infected devices to the cloud much like many advertising networks do. XcodeGhost can also pop up a custom alert box, but not accept input from the user.

However, the malware is capable of opening arbitrary URLs, which can be a problem as these URLs can contain phishing webpages for stealing credentials for services like Apple ID, Facebook, eBay, PayPal and more, or forward users to an enterprise-signed malicious app that can be installed on non-jailbroken devices.

Source: Apple

  • Benedict

    Does Apple remove those apps only in the App Store or also from infected devices?

    • 5723alex .

      Apple, contrary to others, doesn’t touch, remotely, devices.

      • smtp25

        There is a kill switch though isn’t there? whether theyd use it or not unless in extreme cases

      • Benedict

        That’s extremely bad.


    I don’t have any of those apps on my device..

    • smtp25

      Would most people have ANY of those looking at the names 🙂 and sound of what the might be about. (except wechat)

  • L J

    I don’t even know half or these apps, but thats a good thing

  • Noohar

    “In addition to WeChat, one of the top messaging apps in the world.” Since when? It’s heavily punted here in South Africa as one of our major media corps owns a percentage of the Holding Company of WeChat but I still know of no one that uses it.

    • Skoven

      Many people use it in China.
      Also: from Wikipedia: “It is the largest standalone messaging app by monthly active users.”

      I only have it installed because of my friend, who is in China at the moment.

  • leart

    I have never seen those apps before

  • Dan

    Garbage apps pretty much.

  • kickinghorse99

    What about the apps saved in the icloud?

    • smtp25

      Are they really saved or just links back to the app store. I think they are just saying these are the ones you’ve purchaged/got previously

  • So a bunch of no name apps I would never have anyway?? ha