XcodeGhost is the first widespread malware to be publicly found in apps available through the App Store. Fortunately, it is relatively benign and easily identified.

But where did it come from? What kind of uptake did it achieve? And why are apps that contain it still available in the App Store?

We scanned over a million iOS apps to find out. In total, we now know almost 1,000 apps ever had this malware, far more than initial reports of 40 to 400.

The good news is that reports about XcodeGhost being used for phishing were incorrect, as well as speculation about CIA involvement. It can pop up a custom alert box, but not accept input from the user (thanks, Rosyna). It gathers data about the device and OS, sending it back to the control server the same way advertising networks do. The most alarming feature is it can open arbitrary URLs, which can be a vector to exploiting other apps on the device.

To discover all variants of XcodeGhost for ourselves, we used SourceDNA’s code matching engine to find all binary code that was common to the initial samples of apps we knew had XcodeGhost in them. Then, we searched our index for all versions of apps that contain at least 50% of that shared code. This would reveal any derivative malware kits as well.

We found no significant variation amongst the instances of XcodeGhost. All the binaries match the source code that was published to Github. The binary code we identified is not obfuscated in any apps, supporting the conclusion that this is not part of a focused malware effort.

This means Apple should be able to find and eliminate XcodeGhost in every published app.

So why are so many infected apps still live after Apple tried to remove it from the App Store? As of September 21st, we found 28% of apps that contain XcodeGhost are still live. We also found that 40% of apps that had it are still unavailable, while 32% have been fixed and re-released.

Perhaps there’s a bottleneck because of the flood of iOS 9 apps being published? No one knows for sure.

The security software firm Palo Alto Networks has been tracking the outbreak. They initially announced CamCard was compromised. The developers then checked their own apps and noted that they were clean. But somehow they missed this one, which still has XcodeGhost in the latest version (6.5.1). Given the wide spread between the initial reported number of compromised apps and what we found, we believe most security researchers and developers are checking individual apps by hand, which is prone to errors.

We tracked the uptake of XcodeGhost against our index of all versions of apps. The earliest known date the trojaned Xcode was uploaded to Baidu is March 23, 2015. We see a few developers who must have downloaded it right away. For example, this VPN app could be Patient Zero, compromised before April 7. The uptake is pretty steady from there until it takes off rapidly in August.

Line graph of XcodeGhost uptake by month

It’s likely many developers were switching to Xcode 7 through the Summer to prepare for iOS 9’s release. Also, the Fall is a busy time to get apps ready to launch for end-of-year sales.

Apple seems to have dodged a bullet. The first malware publicly found in the App Store is relatively benign, as well as easy to detect and remove. Like the jailbreak scene, early hacks by people without bad intentions can be a preview to the methods that will later be exploited by malicious attackers. Because third-party SDKs constitute 30-80% of the code in apps, it remains to be seen if XcodeGhost’s approach of targeting developers becomes a common gateway for malware.