Getty Images
Apple has said it is taking steps to remove malicious code added to a number of apps commonly used on iPhones and iPads in China.
It is thought to be the first large-scale attack on Apple's App Store.
The hackers had created a counterfeit version of Apple's software for building iOS apps, which it persuaded developers to download.
Apps compiled using the software could steal data about the users and send it to servers controlled by the hackers.
In addition, the attackers could send fake alerts to infected devices to trick their owners into revealing passwords and other information.
The infected applications includes Tencent's hugely popular WeChat app, a music downloading app and an Uber-like car hailing app.
Some of the affected apps - including the business card scanner CamCard - are also available outside China.
An Apple spokeswoman said apps created using the counterfeit software, XcodeGhost, had now been removed from the App Store.
"We are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps," said Christine Monaghan.
Analysis: Dave Lee, North America technology reporter
In Apple's walled garden App Store, this sort of thing shouldn't happen.
The company goes to great lengths, and great expense, to sift through each and every submission to the store. Staff check for quality, usability and, above all else, security.
The Apple App Store is generally considered a safe haven as the barrier to entry is high - there's only been a handful of instances of malware found on iOS apps, compared to Google's Play store which for a while was regarded as something of a "Wild West" for apps (until they introduced their own malware-scanning system too).
It makes this attack all the more surprising, as it looks like two groups of supposedly informed people have been caught out.
Firstly developers, who security researchers say were duped into using counterfeit software to build their apps, creating the right conditions for the malware to be applied.
And secondly, Apple's quality testers, who generally do a very good job in keeping out nasties, but in this case couldn't detect the threat.
Follow Dave Lee on Twitter @DaveLeeBBC
On its official WeChat blog, Tencent said the security issue affects an older version of the app - WeChat 6.2.5 and the newest versions were not impacted.
It added that an initial investigation showed that no data theft or leakage of user information had occurred.
Cybersecurity firm Palo Alto Networks said on Friday that potentially hundreds of millions of users were impacted by the infected apps.
"We believe XcodeGhost is a very harmful and dangerous malware that has bypassed Apple's code review and made unprecedented attacks on the iOS ecosystem," the firm said on its website.
But Wee Teck Loo, head of consumer electronics at market research firm Euromonitor International, said he did not forecast a major impact on the sale of Apple products.
"It is definitely embarrassing for Apple but the reality is that malware is a persistent problem since the days of PCs and the problem will multiply as the number of mobile devices explodes from 1.4 billion units in 2015 to 1.8 billion in 2020," he told the BBC.
In fact, consumers are less cautious on mobile devices than on PCs, he added.
"In emerging markets like China or Vietnam, mobile devices are their first connected product and security is taken for granted," he said.
"Consumers in emerging markets are also less protective of privacy and security issues," added Mr Wee.
Earlier this month, login names and passwords for more than 225,000 Apple accounts were stolen by cyber-thieves in China.
It was uncovered by security firm Palo Alto Networks while investigating suspicious activity on many Apple devices. It found a malicious software family that targets jailbroken iPhones.
The majority of people affected were in China.
No comments:
Post a Comment