As many as 4,000 apps were infected by the XcodeGhost malware used in an attack on Apple’s App Store, security researchers have said.
The news came as Apple said it was going to make its Xcode program – the tool used to build apps for its operating system – easier to download in China, where the problem originated.
Some Chinese firms said slow download speeds behind the Great Firewall led them to seek locally held, bootlegged versions of Xcode that they did not know were infected with malware.
Apple’s marketing boss Phil Schiller said the firm would offer domestic downloads in China in a bid to speed up downloads and convince people to install only the official software.
App developers are not blocked from downloading the official version of Xcode. But censorship controls, along with low investment in infrastructure for international connections, make using services based outside China a painful process for some.
“In the US it only needs 25 minutes to download. China may take three times as long,” Mr Schiller told Sina.cn.
The counterfeit versions served malware that infected apps built on them, allowing the attackers to steal data about users and send it to servers they controlled.
The US security firm Palo Alto Networks said it believed the number of infected apps was likely to be “far greater” than the few dozen initially thought. According to FireEye, another security company, the figure could be as high as 4,000.
The App Store had previously been almost entirely free of malware, and it was unclear how the altered code withstood Apple’s app approval process, in which developers often wait a week for reviews of updates to their apps.
“These reviews are legendary for how particular Apple is,” said Robert Walker, founder of mobile dating app Cuddli, who worked for Microsoft in China. “Supposedly, a security review is part of that. But they missed this repeatedly over dozens of different applications. A huge mistake on their part.”
Security consultant Graham Cluley said: “Apple security, for so long priding itself on the tight ship it maintains over apps that get into its App Store, has definitely suffered a bloody nose.
“However, let’s not lose sight of the fact that malware appearing in Google’s equivalent app store for Android is far from rare.”
Apple released advice to developers on checking their versions of Xcode, but did not respond to a request for comment.