Emails revealed during the Epic Games v. Apple trial show that a total of 128 million iOS users downloaded apps that included the XcodeGhost malware in 2015.
The malware was spreading via an altered version of Xcode, Apple’s official app development tool.
The malicious version of Xcode had been uploaded to Chinese cloud file sharing service Baidu and downloaded by some iOS developers in China. Those developers then unknowingly compiled apps using the malicious version of Xcode, and then made those apps available on the iOS App Store.
Chinese developers commonly download new versions of Xcode from servers other than Apple’s official source, due to the large size of Xcode, which can take a long time to download in China.
While the malware was quickly stopped, details about the full impact of the attack remained uncertain.
Emails published as a part of the Epic v. Apple trial have finally given us an idea as to the scope of the XcodGhost attack. a total of 128 million users downloaded at least one of the over 2,500 infected applications. Approximately 18 million of those users were based in the United States, says Vice, which first spotted the emails.
The emails reveal how Apple scrambled to determine how serious the situation was and to notify the victims.
“Due to the large number of customers potentially affected, do we want to send an email to all of them?” said Matt Fischer, vice president of the App Store. “Note that this will pose some challenges in terms of language localizations of the email, since the downloads of these apps took place in a wide variety of App Store storefronts around the world.”
“Just want to set expectations correctly here. We have a mass-request tool that will allow us to send the emails, however we are still testing to make sure that we can accurately include the names of the apps for each customer,” Dale Bagwell, Apple’s iTunes customer experience manager at the time wrote.
While the malware was widespread on the App Store, it turned out to not be particularly sophisticated or malicious.
Apple said at the time that there is no proof the malware had been used for anything malicious and that the code could only deliver some general information about a device’s apps, and system information.