XcodeGhost malware

Hackers have infiltrated the vaunted Apple ecosystem by injecting malicious software into popular Chinese mobile apps, potentially affecting hundreds of millions of users.

Software developers in China were duped into downloading a fake version of Apple’s tool for creating apps for the iPhone and iPad. These developers used a tainted version of Xcode to create apps that contained malicious code more than 300 apps, including the hugely popular instant messaging service WeChat and ride-hailing app Didi Kuaidi, were infected with the XcodeGhost malware, potentially allowing access to private user data including passwords, Chinese state-run media said.

The infected Xcode was hosted on Baidu Pan, a cloud service offered by Chinese search company Baidu Inc., said multiple security researchers.

Apple said in a late Sunday statement that it had taken steps to address the problem. “To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software and we are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps,” the statement said.