XcodeGhost Q&A

I’ve heard about malicious apps created by XcodeGhost — what does this mean?

We always recommend developers use the free, secure tools we provide them — including Xcode — to ensure they’re creating the most secure apps for App Store customers. Some developers downloaded counterfeit versions of Xcode that have been infected with malware and created apps that were just as infected.

Apple incorporates technologies like Gatekeeper expressly to prevent non-App Store and/or unsigned versions of programs, including Xcode, from being installed. Those protections had to have been deliberately disabled by the developer for something like XcodeGhost to successfully install.

As part of providing developers the industry's most advanced tools, Apple provides developers the following checks to ensure software is untampered:

• The Xcode app is code-signed by Apple.
• When you download Xcode from the Mac App Store the code signature for Xcode is automatically checked and validated by your system.
• When you download Xcode from the Apple Developer Program web site, the code signature for Xcode is automatically checked and validated by your system by default as long as Gatekeeper is not disabled.

Why would a developer put customers at risk by downloading counterfeit software?

Sometimes developers search for our tools on other, non-Apple sites in an effort to find faster downloads of developer tools.

We’re working to make it faster for developers in China to download Xcode betas. To verify that their version of Xcode has not been altered, they can take the following steps posted at <developer.apple.com>.

How does this affect me? How do I know if my device has been compromised

We have no information to suggest that the malware has been used to do anything malicious or that this exploit would have delivered any personally identifiable information had it been used.

We’re not aware of personally identifiable customer data being impacted and the code also did not have the ability to request customer credentials to gain iCloud and other service passwords.

As soon as we recognized these apps were using potentially malicious code we took them down. Developers are quickly updating their apps for users.

Malicious code could only have been able to deliver some general information such as the apps and general system information.

Is it safe for me to download apps from App Store?

We have removed the apps from the App Store that we know have been created with this counterfeit software and are blocking submissions of new apps that contain this malware from entering the App Store.

We’re working closely with developers to get impacted apps back on the App Store as quickly as possible for customers to enjoy.

A list of the top 25 most popular apps impacted are listed below. After the top 25 impacted apps, the number of impacted users drops significantly.

If users have one of these apps, they should update the affected app which will fix the issue on the user’s device. If the app is available on App Store, it has been updated, if it isn’t available it should be updated very soon.

We will update this page with more information as it becomes available. Please check back from time to time.